Since OpenSSL decided not to use the regular ciphers but make this a
separate option, we now make this a separate option as well.
So there is ::ciphers for <=TLSv1.2 and ::ciphersuites for TLSv1.3
More documentation will follow.
Patch from 'i' in https://bugs.unrealircd.org/view.php?id=5149
Add the ASCII character codes for strikethrough (0x1E, 30) and
monospace (0x11, 17) to the _StripControlCodes function. This
addresses those formatting characters not being filtered when the
"nocodes" module is loaded.
See https://modern.ircdocs.horse/formatting.html#characters
any other bans that will cause the user to be disconnected.
For technical details see the banned_client() function.
It's likely I made some mistakes somewhere => testing required!!
from antirandom checking because they frequently cause false positives.
This new behavior can be disabled via:
set { antirandom { except-webirc no; }; };
Suggested by The_Myth in https://bugs.unrealircd.org/view.php?id=5007
This is meant to blacklist modules that are in modules.default.conf (or
elsewhere). The 'loadmodule' line for any such module is effective ignored.
https://bugs.unrealircd.org/view.php?id=5118
Note: I had to move the loadmodule code. Previously this was done as each
config file (include) was loaded into memory. Now it is done after *ALL*
config files have been read into memory. This shouldn't matter for module
devs, though..
Compiling already works (this is already tested by AppVeyor for quite a
while), but the installer in git required VS 2015. The actual releases
up to now required VS 2012.
To be more precise, either VS 2015 Redist or VS 2017 Redist is enough,
the x86 version that is, as they are binary compatible and both provide
"version 14". So if one of those is installed, the installer just runs.
If neither of these is installed we tell the user to install the VS 2017
Redist package, not mentioning 2015 as it would only cause confusion.
is found. This fixes an issue on Ubuntu 18 where the library is
stored in /usr/include/x86_64-linux-gnu and ./Config doesn't detect
it and thus reverts to using local-curl.
curl enabled but without system curl, the build could fail with
an libCURL configure error. This is is because it imported the
CURLDIR but it referred to an old UnrealIRCd directory.
Reported by The_Myth (#5106)
For example Ubuntu 16.04 LTS with OpenSSL 1.0.2g.
Especially in strict config it would error 'No shared ciphers'.
Had to do with #if(def) ordering. SSL_CTX_set_ecdh_auto() is
still required in 1.0.x even if SSL_CTX_set1_curves_list() is
used. Understandable.
Change from this TLSv1.2 and TLSv1.3 message:
*** You are connected with TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384-256bits
*** You are connected with TLSv1.3-TLS_AES_256_GCM_SHA384-256bits
To this:
*** You are connected with TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384
*** You are connected with TLSv1.3-TLS_AES_256_GCM_SHA384
Since: 1) those bits are redundant (AES 256 is already mentioned),
and 2) Bits are also not an universal method to measure strength across
algorithms (think: elliptic curve).
(Not too surprising when add is 0 and delete is 1)
Not fatal, as error was still handled & send, but it went to
all opers instead of just the one person adding it..
the following remarks:
* We only set these curves if SSL_CTX_set1_curves_list() is available
(OpenSSL 1.0.2 or later, LibreSSL 2.5.1 or later)
* The X25519 curve is only added if it is available (OpenSSL 1.1.0+)
This requires OpenSSL 1.0.2 or newer (released on 22 Jan 2015).
Also fix a bug with OpenSSL 1.1.0+ where - due to removal of an API
function - we accidentally forced curve P-256 rather than automatic
selection. That sucks because the automatic selection (since 1.0.2+)
allows supporting multiple curves and selecting the highest one.
+dnl This is purely for charsys.c... I like it so we can easily read
+dnl this for non-utf8. We can remove it once we ditch non-utf8 some day
+dnl of course, or decide to ignore me and encode them.
-int hooktype_mode_deop(aClient *sptr, aClient *victim, aChannel *chptr, u_int what, char modechar, long my_access, char **badmode);
+int hooktype_mode_deop(aClient *sptr, aClient *victim, aChannel *chptr, u_int what, int modechar, long my_access, char **badmode);
.. this to get rid of a compiler warning and potential problem.
Can't safely use shorts with variable argument functions I think,
or maybe only with reduced type checking which is not what we want.
-void hooktype_channel_synced(aChannel *chptr, unsigned short merge, unsigned short removetheirs, unsigned short nomode);
+void hooktype_channel_synced(aChannel *chptr, int merge, int removetheirs, int nomode);
m_pass and m_topic.c when duplicating strings with a length limit.
+/* strldup(str,max) copies a string and ensures the new buffer
+ * is at most 'max' size, including nul byte. The syntax is pretty
+ * much identical to strlcpy() except that the buffer is newly
+ * allocated.
+ * If you wonder why not use strndup() instead?
+ * I feel that mixing code with strlcpy() and strndup() would be
+ * rather confusing since strlcpy() assumes buffer size including
+ * the nul byte and strndup() assumes without the nul byte and
+ * will write one character extra. Hence this strldup(). -- Syzop
+ */
The output of /IRCOPS isn't meant to be client parsable anyway (which
can be seen by the use of bold text and such), so using a generic
numeric rather than wasting two others seems sensible.
Reported by The_Myth in #5066.
We only parsed the first A record reply, so if the blacklist returned
multiple results /and/ you would not have all those types in your
blacklist { } block then you could miss a hit (false negative).
On *NIX now always redirect stdin, stdout and stderr to /dev/null for
safety and to prevent any ssh hanging as reported by mbw (#5087).
This code needs some testing on non-Linux though it should be all
POSIX, unless I missed something... :)
This is for easier parsing of the "MODE yournick" response.
From:
:maintest.test.net 008 testuser :Server notice mask (+kcfjvGqSso)
To:
:maintest.test.net 008 testuser +kcfjvGqSso :Server notice mask
Reported by emerson in #5079.
listen::ssl-options, sni::ssl-options or link::outgoing::ssl-options
are used. In short: it only reloaded the ones from set::ssl until
now. Bug reported by Mr_Smoke (#5072)
Built-in time synchronization was added in 2006 when many computers did not
do time synchronization by default. Nowadays nearly all operating systems,
including many Linux distro's, Windows and OS X have time synchronization
enabled out-of-the box.
You can still re-enable the built-in timesynch feature via:
set { timesynch { enable yes; }; };
..but you should really use NTP instead.
This affected the following errors:
* Max SendQ exceeded
* Excess Flood
* Flood from unknown connection
* SSL Handshake flood detected
* Rejected link without SSL/TLS
* Various errors from the websocket module
* Other errors generated by 3rd party modules
This posed a limitation with utf8 PROTOCTL NICKCHARS=... and
potentially PROTOCTL SERVERS=... if having more than 32 servers.
The limitation has now been removed (buffer length = 512)
Also call the UTF8 charsys support experimental. Not so much because
of issues in UnrealIRCd that are unique to utf8 but because of the many
"but's" such as lack of services support. And people suddenly waking up
and realizing there never was improved CASEMAPPING and "visually identical
character checks" in original charsys either.
This is the "non breaking space" outside UTF8 and thus was previously
blacklisted. Keeping it blacklisted even if it appears in UTF8 is not
really an option as it means some UTF8 characters can never be used,
like the letter "nun" in Hebrew, and likely others.
module but at least the code can be updated on the fly (or replaced
with some other secondary alternative module in the future).
src/charsys.c -> src/modules/charsys.c
This also means everyone needs to load the modules/charsys module.
See https://www.unrealircd.org/docs/Nick_Character_Sets
Example: set { allowed-nickchars { latin-utf8; }; };
Important remarks:
* All your servers must be on UnrealIRCd 4.0.17 (or later)
* Most(?) services do not support this, so users using UTF8 nicknames
won't be able to register at NickServ.
* In set::allowed-nickchars you must either choose an utf8 language
or a non-utf8 character set. You cannot combine the two.
* You also cannot combine multiple scripts/alphabets, such as:
latin, greek, cyrillic and hebrew. You must choose one.
* If you are already using set::allowed-nickchars on your network
(eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'):
* Your clients may still assume non-UTF8
* If users registered nicks with accents or other special characters
at NickServ then they may not be able to access their account
after the migration to UTF8.
[!] Work in progress [!]
"SSL_accept(): Internal OpenSSL error or protocol error: tls_process_client_hello: unsupported protocol"
rather than just
"SSL_accept(): Internal OpenSSL error or protocol error"
Perhaps it can be shortened in a later version if this is acceptable.
This can help with tracing server linking errors, and/or
if using the junk snomask (MODE nick +s +j).
Naturally this is only available if the extbans/timedban module is
loaded and you should do so on all your servers on the same network
if you want to avoid confusion/desynchs.
These are bans that are automatically removed by the server.
The duration is in minutes and the mask can be any ban mask.
=> Note that you need to load the extbans/timedban module!
Some examples:
* A 5 minute ban on a host:
+b ~t:5:*!*@host
* A 5 minute quiet ban on a host (unable to speak):
+b ~t:5:~q:*!*@host
* An invite exception for 1440m/24hrs
+I ~t:1440:*!*@host
* A temporary exempt ban for a services account
+e ~t:1440:~a:Account
* Allows someone to speak through +m for the next 24hrs:
+e ~t:1440:~m:moderated:*!*@host
* And any other crazy ideas you can come up with...
For example if you had:
set { restrict-extendedbans "a"; };
Then this would be rejected:
MODE #chan +b ~a:Account
However, you could still set:
MODE #chan +b ~q:~a:Account
Now this is properly rejected as well.
Fix case where conv_param() returns NULL (ban rejected)
causing is_ok() function not to be called so the user
never sees the error. We now try to call the is_ok after
conv_param returns NULL.
So not really an API change, more like a fix.
the WEBIRC gateway gives us some assurance that the
client<->webirc gateway connection is also secure (eg: https).
This is the regular WEBIRC format:
WEBIRC password gateway hostname ip
This indicates a secure client connection (NEW):
WEBIRC password gateway hostname ip :secure
Naturally, WEBIRC gateways MUST NOT send the "secure" option if
the client is using http or some other insecure protocol.
https://github.com/ircv3/ircv3-ideas/issues/12
In 3.2.x we didn't fix these bugs since servers are trusted and
should send correct commands. In 4.0.x we changed this so we would
fix them when we come across such issues at normal priority (not
consider them security issues). I now took it a step further and
actively checked/looked for these issues and a bunch of them were
found. Almost all are NULL pointer dereferences, with some exceptions.
* S2S: MODE: check conv_param return value (NULL ptr crash)
* S2S: MODE: floodprot: More checks (NULL ptr crash)
* S2S: MODE: OOB write of NULL (write NULL past last element in an array)
* S2S: NICK: old compat fixes (NULL ptr crash)
* S2S: PROTOCTL: Check for double SID=
* S2S: SERVER: require at least 3 parameters (NULL ptr crash)
* S2S: SJOIN: require at least 3 parameters (NULL ptr crash)
* S2S: SJOIN: Fix OOB read (read 1 byte past buffer)
* S2S: TKL: validate set_at and expire_at (NULL ptr crash)
* S2S: TKL: require at least 9 parameters for spamf, not 8 (NULL ptr crash)
* S2S: TKL: ignore invalid spamfilter matching type (remove abort() call)
* S2S: TOPIC: querying for topic is not permitted (NULL ptr crash)
* S2S: UID: require 12 parameters (NULL ptr crash)
* S2S: WATCH: this is not a server command (NULL ptr crash)
* Fix OOB read (1 byte beyond string) for timevals. This was reachable
from config code, TKL (S2S) and /*LINE (Oper). In practice no crash.
* MODE: make code less confusing (effectively no change)
* TRACE: remove strange output in case of 0 lines of output
* Fix unimportant memory leak on boot (#4713, reported by dg)
* Fix small memory leak upon 'DNS i' (oper only command)
* Always work on a copy in clean_ban_mask(). This fixes a bug that could
result in a strlcpy(buf, buf, sizeof(buf)). So, overlapping strings,
which is undefined behavior.
* API change for HOOKTYPE_PRE_INVITE:
(aClient *sptr, aClient *target, aChannel *chptr, int *override)
Modules must now send the error message instead of only returning
HOOK_DENY. Also check for operoverride and set *override=1.
This so modules can send their own error messages instead of the
default message being sent ("channel is +V" - which is not true).
Reported by Gottem (#5023).
2) Use 'iscc' rather than 'compil32' since the latter pops up a
dialog box which blocks the entire build process.
3) Apparently the VS2017 image has a broken VS2012 since it bails
on winsock.h. So try to use different images for both builds.
set::handshake-delay of 2 seconds by default. This will allow (most)
DNSBL checking to be finished before the user comes online, while
still allowing a smooth user experience.
If your DNS(BL) is slow then you could raise this setting slightly.
https://www.unrealircd.org/docs/Link_verification
This is only outputted if both sides are 4.0.16+ so we can use spkifp
and use the same instruction on both sides of the link.
(If we would do it for previous versions then we would only give
half of the instructions to the users, which makes no sense)
password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };
This value will stay the same even for new SSL/TLS certificates,
as long as the key stays the same. This can be useful in case of
Let's Encrypt (if you use a tool that keeps the same key, that is,
certbot does not at the moment). Suggested by grawity (#5014).
Also make auth type 'sslclientcert' available as 'cert' and
make 'sslclientcertfp' available as 'certfp'.
There is now '/spamfilter del' which will output all spamfilter along with
the appropriate command to delete each spamfilter (by unique ID).
This way it should be easy for anyone to delete an existing spamfilter.
We also refer to this new feature from '/spamfilter', '/stats spamfilter',
etc.
places by spamfilters (and some other systems) to be placed not on *@ip
but rather on user@ip. Note that this won't work for ZLINE/GZLINE since
no ident/username lookups are done in such cases.
Bit of a niche feature but okay..
on the IP and thus result in an XX.YY.ZZ.IP cloaked host.
This so you can have "IP cloaking" without disabling DNS lookups.
GLINES on hosts still work and IRCOps (and yourself) can still see
the host in /WHOIS.
Requested in 4957 by Gottem and The_Myth.
and set::sasl-server is not set by the administrator. Looks like this:
*** Services server 'services.test.net' provides SASL authentication, good! I'm setting set::sasl-server to 'services.test.net' internally.
Hopefully this will increase SASL availability significantly.
That is, once anope and atheme start sending the saslmechlist to us,
of course ;) (see commit d6e26d59e5)
This so saslmechs are properly sent in case of services (re)connect,
otherwise the CAP NEW is sent too early when the saslmechs are
not known yet.
NOTE: This makes sending "EOS" mandatory for any SASL servers.
You should be doing this since 14 years ago (it was added
in 3.2beta18 in August 2003) so hopefully that is the case.
Anope is good anyway :)
Fix force-rejoin not working if doing SVSMODE -x/+x (Koragg, #5015).
Note to module coders:
Please use the following procedure in case of an user/host change:
* userhost_save_current(acptr);
* << change username or hostname here (or both) >>
* userhost_changed(acptr);
This function will take care of notifying other clients about
the userhost change, such as doing PART+JOIN+MODE if force-rejoin
is enabled, and sending :xx CHGHOST user host messages to
"CAP chghost" capable clients.
Also, small note to everyone:
If force-rejoin is enabled we will not send the PART+JOIN+MODE to
"CAP chghost" capable clients. Doing so is just a hack to notify
people of a userhost change. "CAP chghost" users can thus benefit
from the reduced noise in this respect.
would allow you to use -f even if the IRCd is suid or sgid.
This is not anything we or you ever want to permit since this is
a major security problem. This setting is now gone. I doubt
anyone used it.
You should always use https://www.unrealircd.org/ for stable releases.
In case you wondered what happened with 4.0.15: that version consists
of cherry-picked / backports of the two crash fixes from this 'unreal40'
development branch. The current code simply wasn't ready yet for a
rushed security release.
Delete CAP CLEAR as it's use is discouraged (too much trouble).
Delete CAP ACK (from client2server) as this is only for CAP's with
ack modifiers. This is something we don't use, and which has been
deprecated in v3.2 of the spec.
This permits multiple blocks like..
webirc {
mask *;
password "....." { sslclientcertfp; };
};
..should you need it.
In other words: we don't stop matching upon an authentication failure.
because so many people had a broken system/wget/curl, that is: without
the appropriate trusted CA certificates installed. If this is still
the case, then: too bad. People who DO have a proper setup shouldn't
be held back with regards to security by such users.
This so upcoming UnrealIRCd version will work with TLSv1.3 whenever it
becomes an official standard and is included in OpenSSL/LibreSSL.
(Verified to work with openssl git master branch)
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
connected to a server introducing himself as irc2.test.net. This
was rather confusing, of course. Wasn't much of a security issue since
this only happened in outgoing connects and naturally all authentication
need to pass as well.
This is done for users on shared IRCd shells[*] which may be used to (or
forced to) connect services via their alias IP rather than 127.0.0.1
due to bind restrictions. This, in turn, to ease the transition to
set::plaintext-policy::server deny.
[*] Side-note: The UnrealIRCd team recommends using a VPS and not a
shared shell, as the latter is considerably less secure.
* The 'ban too broad' checking was broken. This permitted glines such
as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
To disable this safety measure you can (still) use:
set { options { allow-insane-bans; }; };
Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port
Example:
set {
ssl {
certificate "ssl/server.cert.pem";
key "ssl/server.key.pem";
sts-policy {
port 6697;
duration 180d;
};
};
};
IMPORTANT: Only use this if you know what STS is and what the
implications are. The most important things being A) set a correct
port and B) you need a 'real' SSL certificate and not a self-signed
certificate.
More documentation may follow at another place.
Module coders:
* The cap->visible(void) callback function is now cap->visible(aClient *)
* There is a new cap->parameter(aClient *) callback function.
* Various updates to subfunctions to pass 'sptr' (due to the above),
including clicap_find(sptr, ...)
* New CLICAP_FLAGS_UNREQABLE flag
Other:
* There is a new (src/)modules/cap directory containing the sts module,
well.. once I commit it :D
value needs to be much higher than the number of clients the IRCd
should be able to hold. The new value is 10k which should allow
at least 1-2k clients.
and at some other places (any place which uses the 'mask' system).
This allows things like:
deny channel { channel "#help*"; };
allow channel { channel "#help-nolan"; mask !192.168.*; };
allow channel { channel "#help-lan"; mask 192.168.*; };
Similarly in vhost blocks etc etc..
This so you can easily add allow/deny channel blocks for IP ranges.
Possibly not so useful for services-networks (ban/akick is very similar)
but has some use on serviceless networks.
For example: '+f [5j#i1,5m#m1,3n]:3' and then '+f [5j#i1,5m]:3'
In that case the '3n' was not removed and still effective, as
could be seen by a '/MODE #chan'. Reported by The_Myth (#4883).
[warning] Your server is not listening on any SSL ports. It is recommended to listen on port 6697.
[warning] Consider adding this to your unrealircd.conf: listen { ip *; port 6697; options { ssl; }; };
services software send this which cause a crash. Now simply rejecting at
the start of the function.
To services coders: you must maintain client lists/state, not do silly things
Note that they are NOT loaded by default at this time.
The modules are:
* extbans/textban - +b ~T:censor:*badword*
* usermodes/privdeaf - user mode +D: cannot receive PM's
* antirandom - "randomness" detector against drone attacks
* hideserver - hide servers (not real security, but requested)
* jumpserver - redirect users to another server during maintenance
* m_ircops - show which ircops are online (/IRCOPS command)
* m_staff - show custom file (/STAFF command)
* nocodes - don't just strip/block colors, do the same for reverse/bold/..
The existing README and sample configuration files for these modules
will later be added to the official UnrealIRCd documentation on
https://www.unrealircd.org/docs/Main_Page (just search on the module name).
This allows you to for example specify a specific certificate/key on an
serversonly port and in link block (a self-signed 10 year valid certificate)
and use a short-lived (XX day) Let's Encrypt certificate on the other ports.
And several other uses, of course.
so you can use IRC directly from HTML5/JS. It is still considered experimental
but feel free to test it out. To do so, add this to your unrealircd.conf:
loadmodule "websocket";
This module was sponsored by Aberrant Software Inc.
Previously <= 0 would stop processing. Now this has changed to:
>0: continue and parse as-is (this was already the case)
0: don't parse but continue reading next packet (if there's any data)
-1: stop parsing, don't read any packets (client may be killed/FLUSH_BUFFER)
Services coders: you can now set "SVSMODE Nick +d" to set the 'deaf' user
mode. Note that "SVSMODE Nick +d svsidhere" also still works. This should
be a harmless change, unless some services packages are accidentally trying
to set emtpy svsids like "SVSMODE Nick +d "... if you do, then the target
nick will be deaf now..
Only build main binary with -fPIE, not the modules. It's called Position
Independent EXECUTABLE after all. And apparently not all compilers or
linkers ignore the option if building shared objects (mine did..).
as it is the default in 4.0.8+. However, it shouldn't break the build if
specified. Fixed damn silly reversed logic at a few places that caused this...
We now set LDFLAGS during configure with -Wl,-rpath=/home/xyz/unrealircd/lib so
the curl test won't fail (or more precisely, curl's c-ares test).
Could theoretically fix other issues as well, but could not reproduce.
First of all, system-wide curl is much preffered, but if not available
then UnrealIRCd will offer to install curl for you during ./Config.
The prompt looks the same as before but we no longer install the curl
library in ~/curl but rather in ~/unrealircd/lib (or wherever you put
your installation).
Basically, it now behaves exactly the same as c-ares, TRE and PCRE.
Downside: curl will be re-compiled each time you re-run ./Config
Upside: curl will be re-compiled each time... :D.. will thus be kept
more up to date.
**
Also: complain if <curlinstall>/bin/curl-config cannot be found.
This ensures we error after ./Config rather than after the whole of
configure has been ran.
then change the default value to /usr (or similar) during ./Config and
output a warning.
We do this since system-wide cURL is under almost all circumstances
preferred as it is maintained by your OS/distro and hence receives bug
fixes and security updates on a regular basis (or should, anyway).
Experience shows that ~/curl is rarely kept up to date since "it works".
In the past, many years ago, system wide cURL did not have AsynchDNS.
Nowadays nearly all distros build cURL with some sort of AsynchDNS
which makes things much more useable.
this on the basis that cURL may be using one c-ares version and UnrealIRCd
another c-ares version, something which obviously can lead to failure due
to ABI differences..
Many years have passed since then and cURL is now frequently build with
AsynchDNS support but without the help of c-ares (eg: on Debian). We can
support this configuration without requiring --with-system-cares since
c-ares is not used by cURL and there's no conflict.
options by default. This enables full RELRO (GOT and PLT being read-only),
stack protection and address space layout randomization (by enabling PIE,
the actual ASLR is left up to kernel).
Will cleanup some silly stuff later.. and have a go at the libs stuff..
code clutter and was broken anyway (especially CHROOTDIR)...
For a CHROOTDIR replacement we suggest using AppArmor, SELinux, FreeBSD jails, ..
For a IRC_USER/IRC_GROUP replacement you can use start-stop-daemon or similar.
Accepted values are: All (enable all), TLSv1, TLSv1.1, TLSv1.2
You can use + and - modifiers, in fact you are encouraged to.
Example: set { ssl { protocols "All,-TLSv1,-TLSv1.1"; }; };
This will only allow TLSv1.2 at time of writing, and later whenever
TLSv1.3 is released it will allow TLSv1.2 and TLSv1.3.
Note that 'SSLv2' and 'SSLv3' do not exist, as UnrealIRCd 4.x never
supported these old versions (and never will).
Tech: MODE_EXCEPT and MODE_INVEX and had a parameter=0 count in cFlagTab
causing parse_chanmode() not to eat the 'e' and 'I' parameters. Thus
causing the wrong parameter (target) to be returned by parse_chanmode().
users didn't read and close the error screen. Instead they hit the "rehash" command
from the sytem tray and this would crash UnrealIRCd. From now on if you do that a
messagebox will show up saying you should pay attention to the error screen ;)
Fix SQUIT documentation, send ERR_USERSDONTMATCH when trying to change modes for other users, fix some typos, remove old HTM stuff. Resolves#2549, #3691 and more.
Tizen, DBoyz and Valdebrick helped tracing the issue.
Removed MATCH_USE_IDENT since it had no useful purpose.. for all cases one has to check identd first and then non-identd anyway.
* Updates to make UnrealIRCd use LibreSSL
* Fix HTTPS support in cURL
* Forgot to ship curl-ca-bundle.crt
(Note: all 3 points from above only affect Windows)
2) link::outgoing::bind-ip is an IPv4 address, and
3) link::outgoing::hostname is a hostname, and
4) this hostname has both A and AAAA records,
then connect by IPv4 only, which is what the user expects (#4615).
The user is not 'registered' yet at this point, so manually inform
services of their IP address (the syntax is "H <realhost> <ip>").
Services might use this when informing the user of failed auth attempts,
or when ratelimiting bruteforce.
Patch used only with minor changes: one %i should have been %s, some annoying (char *) casts removed which existed in the original code as well, moved 'tmp' variable, collapsed NULL initalization, ..
There were a few flaws in the code: 1) it should close the listener on /rehash,
shouldnt't matter if there are clients or not, 2) then there was a bug where it
would properly close the listener but it would be re-opened by add_listener2.
Also added a "IRCd no longer listening on .." message if you remove a listen block.
You can still see the full list of loaded modules by using "/MODULE -all".
Also fix /MODULE <server>, this was broken in earlier versions by nen.... you know who.
extban +e/+I ~S:xxx worked fine (only checked locally). But this also prevented services from being
informed, IOTW: services could not make use of this new certfp feature yet.
When a user is shunned (eg /tempshun user ), the command PING cannot be used (PONG can so answer server PING).
Some clients like irssi are using PING command to compute the server lag, so when an irssi user is shunned, the lag displayed in irssi start ton increase, giving a way ton know if he is shunned.
After 320 sec of lag, irssi will reconnect, bypassing automatically the tempshun.
This resulted in 5-10 changes in the existing code where parameters were off.
Hopefully I didn't make too many mistakes when writing the hook prototypes as it was a tedious job.
An (unintentional) benefit of this new system is that you can see the hook prototypes in include/modules.h like:
/* Hook prototypes */
int hooktype_local_quit(aClient *sptr, char *comment);
....
Though, the wiki is likely a better place: https://www.unrealircd.org/docs/Dev:Hook_API
PROTOCTL EAUTH=servername,protocolversion,flags,unrealversiontext
This makes deny link { } work again and gives a bit more information too.
Bug reported by GLolol (#4408).
AUTH is a valid nickname so sending notices to it is probably not
a good idea. Use * as the target instead as done with numerics
when the nick is not available.
This mimics the behaviour in Charybdis, IRCD-Hybrid, InspIRCd 2.2,
Plexus 4, etc.
Re-implemented PROTOCTL SERVERS= which nenolod ripped out (#4355).
Add 2nd argument to PROTOCTL EAUTH=servername,unrealprotocol
Change UnrealProtocol from 2350 to 2351
No UnrealIRCd code reads from parv[0] anymore.
Perhaps later, after a few stable versions, we'll turn this into something more useful. Or not. But not soon.
Added swhois_add / swhois_delete functions which also take care of broadcasting
New remove_oper_privileges() function, will move the rest to use this (svsnoop svsmode etc)
Not finished yet...
Change MOD_TEST/MOD_LOAD/etc macro's (this breaks all modules). Now just use this:
MOD_INIT(modulename)
{
// you can access modinfo here.. or other stuff...
}
(Similar to the CMD_FUNC() macro)
Rather than:
DLLFUNC int MOD_INIT(name)(ModuleInfo *modinfo)
{
//...
}
with a default of 3:90 (3 joins per 90 seconds). There's rarely any need
to configure this on a per-channel basis and this way it's enabled by
default for everyone (unless you decide not to load load the module)
easily deal with "parameter eating" of unknown channel modes.
Now, 12 years later, finally added the code to do this.
This prevents some (serious) desynching if you have a parameter-eating
channel mode on one server and not on the other.
Obviously, you should always try to have the same featureset on all
servers, but sometimes this is not possible, like when upgrading..
Will still manage UnrealIRCd as a pref pane probably and system service, but should have an agent present so it's easier to admin when you're _logged in_
2) Call DNS routines more often, not just once per second.
2) Slightly lower the DNS timeout, max 2500 + 5000 = 7500ms now. Previously was 3000 + 6000 = 9000ms.
* remove netadmin, services-admin, admin, co-admin.
* remove all oper flags (there are some placeholders for the next... <24hrs..)
* ADMINCHAT and NACHAT are gone, since admin & netadmin no longer exist
* SVSO used oper flags, but this no longer exists, SVSO removed. maybe later we can add some sort of replacement.. maybe..
* re-style the m_oper code a bit
Not totally tested - I validated it built, I validated ACL validation worked, I validated that most of the ripped out functionality seemed to be absent, eg: we still set the modes (backwards compat w/ services?) but we don't actually check them anywhere, or add them to your whois.
Also make the '?' and '!' prefixes in channels in /WHOIS output more generic:
both mean you only get to see the channel because you are an ircop, but:
'?' means the channel is +s/+p too (so take extra care)
and '!' means the channel is public but for other reasons hidden in /WHOIS, like umode +p (later) or umode +S.
* detect "ircd not running" situations better
* ./unrealircd stop now kills the ircd in a more friendly matter.
* if you run './unrealircd restart' it will now also start the ircd even if it was not presently running.
Apparently neno.. ripped out this code so you could like run './unrealircd
start' 5 times and would then have 5 ircds running, of which 4 were not doing
particularly useful things.
Rather than just stating the error, we now also tell the user what to do.
* Change many configuration parse warnings into errors as this is (much)
more helpful to the user since the config file isn't going to load
properly anyway. Any subsequent 'missing xyz block' errors are not
shown on parse errors. That's good as they are often just missing
because of the parse errors so such errors would be confusing.
* Fix upgrade-conf strange behavior on \\ and \" in spamfilters. Was
actually caused by config parser (and not the updconf code).
* Remove .tmp file file which may be left if we crashed during upgrade-conf
Original file is (of course) backed up as .conf.old.
Currently handled changes in this upgrade: loadmodule, me, link, throttle, spamfilter, allow, vhost, oper.
I think those are all right now. Please report any failures / strange issues on bugs.unrealircd.org
Coders: added generic mask functions: unreal_mask_match(), unreal_add_masks() and unreal_delete_masks().
These deal with one or multiple masks and do all the work for you ;)
Still requires module and core hooks to be added, config test to be added, and to require these for perm validation - this enables core parser and querying of system though
* add general matching framework (aMatch type, unreal_match_xxx functions)
* change spamfilter { } block syntax
* add support for simple wildcard matching (non-regex, just '?' and '*')
This is the initial commit so the new lib is not in yet, 'regex' is not
functional (but 'posix' and 'simple' are working), linking has not been
fully tested and no warnings are printed yet. IOTW: work in progress!
you want to permit re-loading but not complete un-loading of your module.
This way you get the benefits of being able to upgrade code on-the-fly but
can still disallow the user to do something potentially unwise.
For services who allow you to log in by account name but still allow you to
use a different nick: when you're logged in you are now considered
registered as far as channel mode +M (only registered users may speak and
+R (only registered users may join) are concerned. Same for user mode +R
(only allow private messages from registered users).
Tech: whenever services set SVID and it's not * and does not start with a
number, then we consider this user to be 'logged in'.
Whenever a user is set +r (s)he is also considered 'logged in'.
This way it's compatible with both older and new services and doesn't
introduce security issues with older services using servicetimestamp
for nick tracking or other means.
This issue was reported by ShawnSmith (#4318).
1) No arguments: UnrealIRCd will prompt you to enter a password and hash
it with the bcrypt algorithm. This is the recommended method.
2) One argument: It will hash the provided password with bcrypt
3) Two arguments: It will use the hashing algorithm of your choice (1st arg)
to hash the provided password (2nd arg)
We recommend to use syntax #1 as bcrypt is the best algorithm available and
by using the prompt the password won't end up in your bash history (or
whatever shell you use) and can't be snooped by other people with a shell
on the same machine (by looking at the process list)
Now you can just add password "$ZaJw56to$uSEc[etc..]"; to your configuration file without needing an explicit { md5; }; or { sha1; };.
Naturally you can still specify an auth-type if you want to, and for types like 'sslclientcert' it's still required.
We no longer support builds without OpenSSL - consequently we have no reason to keep our custom MD5 implementation, and probably shouldn't keep it around
Parsing of commands based on permissions was incorret - if a command was not a user facing command explicitly, it would be denied for a user, furthermore if it was a server issuing the command, and it also was an oper command, it would be denied for similar reasons - corret parsing now in place.
Modules that take parameters to chanmodes cannot be unloaded at this time, we probably want to investigate adding this capability in the future so we can do dynamic updates of those modules
Modules or other resources could call ircd_log even if we are not fully booted, and we need to not fail in that situation, instead we should just emit the same warnings we usually do.
Not sure how this was supposed to originally work, if the sid is changed
the uid generator is not re-initied, and even if it was it would allow
id collisions if it ever uplinked to another ircd with the old id it
had.
I see no reason for this.
Not sure what this originally was supposed to do, but clicap_find is
normally called multiple times per cap request per client, so this makes
no sense at all.
structs such as Client, Channel, Member and Membership.
- Modules that define channel modes no longer need to be permanent. This
was already true for paramless chmodes, but is now true for all.
- Converted floodprot module (chmode +f) to use MoData. This means some
remains could be purged from the core and the module is now fully
reloadable (no longer permanent).
- This code is experimental, but seems to work...
By default this is set to 'yes' which means that once a spamfilter matches
UnrealIRCd will take action immediately and any additional (other)
spamfilters will not be processed.
When this is set to 'no' then after the first spamfilter match other
spamfilters will still be checked. All of these matches will be logged and a
message will go to IRCOps (snomask +S) for each one. The affected user,
however, will only see one spamfilter action (eg: block or kill) which will
be the spamfilter with the 'gravest action' (gzline is highest, block and
warn are lowest).
- Update example config for pending commands.so removal. (r0cb592422175)
- Implement support for TCP_DEFER_ACCEPT (synflood-hardening). (#4096) (r2ea87de39063)
- remove global flag from oper block as it is implied by netadmin. (#4092) (r491e69c8ede6)
bind to (for example) the loopback interface before connecting to the
remote server.
In addition to that, we now don't bind() at all when bind-ip is not
present or is set to "*".
While here, add a function to mark a range of characters as OK, and close
a possible integer underflow bug in the character attribute code.
Character tables derived from Atheme libguess.
This is technically in violation of RFC1459, however the general consensus
at the IRC3 discussion meetings is that it's the numeric which actually matters.
DH parameters files must be encoded in PEM format, and the path is
set using the ssl::dh config setting. This is based on a patch
submitted by wolfwood, with some modifications to avoid using stdio
unnecessarily and to avoid code duplication.
Instead, run check_tkls() when TKL changes are made directly.
While this is technically slower when more than one TKL is placed
at once, the value of getting it out of the check_pings event is
greater.
This is partially for the sake of Stskeeps, even though he left the
project long ago, but mainly so we can work towards dynamic ticks in
the event loop while guaranteeing latencies for connected clients,
even with fakelag.
are neither read nor write means that c-ares is no longer interested in the
socket. Thusly we unregister it. This is probably wrong, but it seems to
work fine.
With this change, it is possible to completely disconnect read_message() from the mainloop,
and have a fairly responsive ircd (noticably more responsive than what we had before I
started on this).
The "fakelag" stuff has been replaced with charybdis's deferred command processing logic,
which is more efficient and does the same thing without punishing behaving clients.
- Rename Changes to Changes.old
- In the Mercurial repository the Changes file no longer exists (except
for a dummy file). You now need to run ./createchangelog to generate it.
Of course in official releases the Changes file will be present and
contain all details.
- From now on, the Changes file is based on the history of the Mercurial
repository. This means we no longer have to write text manually to the
Changes file. This simple change helps a lot in future development
because patches will no longer break when they are being ported from
one branch to another.
unreal32docs.gr.html (outdated since 2006-12-02), and
unreal32docs.nl.html (outdated since 2009-01-18, possibly 2007-07-12).
These translations are out of date for many years and are causing
problems for the people who are reading this out of date information.
If you want to update these translations, or (maybe better) redo
the translation of unreal32docs in these languages, then send an
e-mail to syzop@unrealircd.com.
Note that for all these languages we have had people in the past
offering to help out, but in the end we never heard back from them,
so please ONLY contact us if you: 1) are serious, and 2) have
sufficient time available to work on this project.
That said, users in your language will greatly appreciate your work!
Of course, if you want to translate documents in any other language
then you are welcome to contact us as well.
method to authenticate users with SSL client certificates based
on SHA256 fingerprints. This can be used instead of the already
existing 'sslclientcert' so you don't have to use an external file.
One way to get the SHA256 fingerprint would be:
openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint
Suggested and patch supplied by Jobe (#4019).
- Added documentation on the new sslclientcertfp
- Moved documentation on authentication types to one place and refer
to it from each section (oper::password, vhost::password,
link::password-receive, etc).
- Disable USE_POLL on Windows, since it doesn't work with XP and has
no advantage anyway. Reported by nenolod (#4129).
- Various updates to makefile.win32 and .iss file, found during
building new versions of zlib, openssl, and curl.
Any attempt to /OPER by someone who doesn't have one of the listed
usermodes is rejected. This can be used to restrict oper blocks to
registered nicks (+r) or secure clients (SSL, +z).
server.cert.pem exists, and check it if the file doesn't exist.
You can still change the setting, just the default is correct now.
The code for this was already there but was not working correctly
causing users to go through the generation process upon each install.
If this is not set, then SASL is off and not advertised.
If the specified server is not connected, then SASL is off as well.
This prevents unnecessary delay (and the inability for some clients to
get online) when SASL is not in use or when the SASL server is down.
This allows the IRCd to enforce MLOCKs that are set by services, which
eliminates clashes between users setting modes and services enforcing
it's mlock on channels. (#3055)
queued data on the receive queue (eg: due to fake lag) was not processed
unless we got new data from the client.
Now, better document this. Also, avoid calling dbuf_put with 0 length.
goes to the boot screen. When we are already booted it's sent to all
IRCOps with a limit of max. 1 message per 5 minutes.
- Refuse to boot when we can't write to any log file.
vmakebuf_local_withprefix. Then use this new function - which creates the
buffer-to-be-sent - at the top of functions like sendto_channel_butserv
and sendto_common_channels and send the prepared buffer in the loop that
comes after it. This means we only prepare the buffer once and then send
it many times, rather than both building and sending it XYZ times.
Benchmarking connect-join-quit of 10k clients:
100 users per channel: no noticeable speed improvement
1000 users per channel: 18% faster
10000 users in one channel: 50% faster
As you can see, unfortunately, for a typical irc network there isn't much
speed improvement. However, if you have a couple of 500+ user channels or
get attacked by clones then you may see some improvement in speed and/or lower
CPU usage.
- UnrealIRCd now supports poll() instead of select().
There are some minor speed benefits if you have more than 1K or 2K
clients, however the main noticeable difference is that on Linux you can
now easily enter a higher maximum connection count than 1024 in ./Config,
without having to edit system header files.
Of course, you still need to be allowed to use the # of sockets (type
'ulimit -n' on the shell).
Support for this is experimental at this stage, but enabled by default
so it can receive all the testing it deserves. If all goes well, it will
be the default for 3.2.10.
Stress testing is very much welcomed!
* use get_client_by_pollfd() function instead of pollfd_to_client[]
directly, so we can easily find and debug any mistakes.
* add some commenting
* add extra debugging and core dumping if fd or slot values are out of bounds
* fix race condition in read_authports() where send_authports() 2 lines up
could have closed the socket, resulting in a read from fd -1.
NOTE: I've updated the select (non-poll) code as well, should be harmless.
* move all (re-)initalization to reset_pollfd(), i'm
much more comfortable with that as it aids debugging a lot.
* add parenthesis.
update my own fd check code for poll support
on OpenFiles to be correct. This fixes a crash when f.e. 3rd party modules
have files open but don't increase OpenFiles. Might also fix a curl crash,
though nobody ever reported one.
and ensures that the user does not have any ircop-only user modes after
de-opering. This (only) fixes the just added +I umode case, but could
also prevent future bugs.
Now the UNREAL_VERSION_GENERATION, UNREAL_VERSION_MAJOR,
UNREAL_VERSION_MINOR, and UNREAL_VERSION_SUFFIX macros are
autogenerated from PACKAGE_VERSION.
now store a string (of max NICKLEN size) as service stamp. See
protoctl.txt and serverprotocol.html in doc/technical for more
information.
Patch from nenotopia (#3966).
connection was never actually sent (due to buffering). Hence, things like
the /SQUIT reason was never seen on the other side (just 'server closed
the connection'). This has now been fixed.
- Win32: Attempt to move to 100% winsock2 (the include, to be precise),
this means includes have to be in a very particular order (!)
- Win32: #define _WIN32_WINNT 0x0501 and force our own inet_ntop/pton,
otherwise you get an ntop runtime error on XP and earlier.
- Win32: Get rid of c-ares includes and library in our tree, and use the
DLL instead of static LIB, just like we do for ssl and zlib.
- Win32: Get rid of TRE lib and includes
- Win32: reorder includes to fix winsock errors with curl
mysterious error 'The specified module could not be found' even though the
file exists. This usually means that it depends on another DLL, but
apparently Microsoft decided not to mention that in the error message.
We now append some small text when such an error happens, saying that it
could be because of a missing dependency. Reported by Phil.
and ZLINE) and 'except tkl' (which can exempt from GLINE, GZLINE, SHUN,
QLINE, GQLINE and SHUN). Reported by Digerati (#0002535).
- Added except tkl::type 'all', which exempts from all TKL types (except
KLINE).
network. You can also specify options like '/REHASH -global -motd' to
rehash only the MOTD/RULES/etc. Just like /REHASH <servername> this is a
NetAdmin-only command. This command is fully backwards compatible with
older UnrealIRCd version in the sense that it will also REHASH old
Unreal's. Suggested by 'P' in #0001522.
'install as service' and 'encrypt SSL certificate', as they are
incompatible (a service cannot ask a user to enter a password).
- Win32 installer: Fixed long outstanding problem with some Vista / Windows 7
installations, which has to do with file permissions of the Unreal3.2
folder. Symptoms were error messages such as:
Unable to create file 'tmp/10D9D743.commands.dll': Permission denied
But also failing to create SSL certificates, nothing being logged, etc.
This is now fixed by setting write access on the Unreal3.2 folder to the
user running the install, unless the user chooses not to use this new
option (it can be unchecked), in which case the user is warned that he
should take care of this himself.
Reported by various persons, special thanks to Bock and goldenwolf for
helping us to track down this issue (#0003943).
- Some small updates to the extended channel mode system: it now has minimal
support for 'local channel modes'. This is really only meant for channel
mode +Z (upcase z), see next.
- Added Channel Mode Z which indicates if a channel is 'secure' or not.
This mode works in conjunction with +z (lower case z).
If +z is set ('only secure users may join'), then the IRCd scans to see
if everyone in the channel is connected through SSL. If so, then the
channel is set +Z as well ('channel is secure').
Whenever an insecure user manages to join, the channel is -Z. And whenever
all insecure users leave, the channel is set +Z.
The 'insecure user being present in a +z channel' can be because:
- An IRCOp joined the channel, and he's not secure
- When servers link together and a user on the other side is not secure
This only happens on net merge (equal time stamp).
On different time stamp, we still kick insecure users on the new side.
- At the time when +z is set, there are insecure users present.
This feature was implemented after a heavy discussion in bug #3720 by fez
and others, and was suggested by Stealth.
Tech note: +Z/-Z is handled locally by each server. Any attempt to
remotely set +Z/-Z (eg: by services) will be ignored.
- As mentioned above, +z can now be set even if any insecure users are
present. Previously, this was not permitted. Now, as soon as the last
non-SSL user leaves, the channel will be set +Z.
- An oper not connected through SSL previously had to /INVITE himself
to a channel and then /JOIN the channel with the key 'override'.
This 'override' key is no longer required, a simple JOIN will suffice.
- Sorted channel modes in /HELPOP ?CHMODES
- Re-enabled 'fishy timestamp' errors in MODE. For some reason this was
commented out, even though the (more annoying and less useful) code in
JOIN was enabled so that did not make a lot of sense. It also now logs to
ircd.log (or whatever you configure). This enables people to easier find
the cause of any timestamp issues (which usually is badly coded services).
commands.so. This module was written to help IRCd maintainers deal
with some sort of ``XPS'' attack in which javascript-initiated HTTP
POST form submissions were able to act as dummy IRC bots. These
simple bots were the cause of much spam. (#3893)
- Add a modules section to the documentation. This was created to put
all documentation specific to the m_post module in one, easy to find
place. The documentation on m_post is likely incomplete, however.
- Added support for "stacked" extbans. Put simply this allows extban combinations
such as ~q:~c:#test to only silence users on #test, for example. This feature
is enabled by default, but can be disabled during ./Config -advanced.
This feature was suggested by Shining Phoenix (#0003193), was then coded
by aquanight for U3.3, and later on backported and partially redone by Syzop.
Module coders:
In an extban ~x:~y:something where we call ~x the 1st, and ~y the 2nd extban:
Since stacked extbans only makes sense where the 1st one is an action
extended ban like ~q/~n/~j, most modules won't have to be changed, as
their extban never gets extended (just like ~c:~q: makes no sense).
However, you may still want to indicate in some cases that the extban your
module introduces also shouldn't be used as 2nd extban.
For example with a textban extban ~T it makes no sense to have ~n:~T.
The module can indicate this by setting EXTBOPT_NOSTACKCHILD in
the ExtbanInfo struct used by ExtbanAdd().
For completeness I note that action modifier extbans are indicated by
EXTBOPT_ACTMODIFIER. However, note that we currently assume all such
extbans use the extban_is_ok_nuh_extban and extban_conv_param_nuh_or_extban
functions. If you don't use these and use EXTBOPT_ACTMODIFIER, then things
will go wrong with regards to stack-counting.
Module coders should also note that stacked extbans are not available if
DISABLE_STACKED_EXTBANS is defined.
- Added extended ban ~R:<nick>, which only matches if <nick> is a registered
user (has identified to services). This is really only useful in ban
exemptions, like: +e ~R:Nick would allow Nick to go through all bans if he
has identified to NickServ. This is often safer than using +e n!u@h.
- Added Extended Invex. This is very much like extended bans, in fact it
supports some of the same flags. Syntax: +I ~character:mask
Currently supported are: ~c (channel), ~r (realname) and ~R (registered).
This can be useful when setting a channel invite only (+i) and then
setting invite exceptions such as +I ~c:#chan (or even ~c:+#chan), while
still being able to ban users.
Because action modifiers (~q/~n/~j) make no sense here, extended invex
stacking (+I ~a:~b:c) makes no sense either, and is not supported.
Suggested by DanPMK (#0002817), parts based on patch from ohnobinki.
Module coders: set EXTBOPT_INVEX in the ExtbanInfo struct used by
ExtbanAdd() to indicate that your extban may also be used in +I.
- Invex (+I) now always checks cloaked hosts as well. Just like with bans,
it checks them also when the user is not currently cloaked (eg: did -x, or
is currently using some VHOST).
- Fixed client desynch caused by (un)banning, reported by Sephiroth (#2837).
two groups: one that specifies ban actions (~q/~n/~j) and one that
introduces new criteria (~c/~r). Also added documentation for ~R which
does not exist yet, but will soon...
- Added information about ``oper::password::auth-type sslclientcert'' and the same for link::password-receive::auth-type. (#3133)
- A little bit more of interlinking and using id="" instead of <a name="" />
curl version is new enough and is not using a c-ares which is binary
incompatible. If the self-compiled curl version is (too) outdated, then we
now suggest to rename it and have the installer re-download and compile
it automatically. This avoids some potential crashes.
was not compiled with c-ares, which is clearly a bad idea as then the
entire IRCd can hang for several seconds or more...
We now check if they support asynch DNS, and skip them if they don't.
- Separate m4 macros into *.m4 files (it is much easier to run aclocal now).
- Remove unused DOMAINNAME macro and --with-hostname= options as the DOMAINNAME macro isn't used anywheres and its use shouldn't be encouraged.
- autogen.sh to bootstrap the buildsystem. We now maintain setup.h with autoheader.
- --disable-blah now does the opposite of --enable-blah. The same for --with-blah and --without-blah. (This makes Gentoo users happier).
- Remote MOTD support. Not adequately tested. Required restructuring of the asynchronous download callback and handler.
- Added some consts throughout url.c, etc.
- Fix segfault where the an include directive specifies a URL and cURL follows redirects, resulting in a different resultant URL. The remote includes code would look for the an include block using the resultant URL and assume that it would be found. The new code searches differently, has new checks, and ignores the resultant URL.
- Removed duplicated m_motd() and friends that were both in modules and s_serv.c. The copies in s_serv.c (core) were overriding the in-module functions.
- IPv6: it seems some recent Linux dists decided to make IPv6 sockets
IPv6-only, instead of accepting both IPv4&IPv6 on them like until now.
FreeBSD (and other *BSD's) already did that move a few years back,
requiring server admins to sysctl.
We now make use of a new option to explicitly disable "IPv6-only".
This should work fine on Linux.
Whether it provides a complete solution for FreeBSD, I don't know, testing
is welcome! In theory setting net.inet6.ip6.v6only to 0 should no longer
be needed, but you might still need to enable ipv6_ipv4mapping.
- Fix stupid issue where current CVS would no longer link TO an earlier
Unreal server (eg: outgoing connect to a 3.2.8 hub). Reported by ohnobinki
(#0003901).
against HTTP POST proxies, now added some extra text to say it also
protects against the Firefox XPS IRC Attack. Also made NOSPOOF enabled by
default on *NIX (this was already the case on Windows).
- Updated ./Config description for DPATH. Seems quite some people answer
this question wrong, and when that happens, you only get some obscure
error when running './unreal start'.
- Fixed 'unreal' script to give a better error if it cannot find the IRCd
binary.
Previously this caused some really odd behavior. Backslashes are now
treated as-is, so no special escaping is necessary. Reported by DelGurth
(#0003002).
- Removed old dgets() function
redundant and confusing. Also removed an old statement saying k-lines would
be erased on rehash which is not true. Documented '/rehash -dns'.
Reported by ohnobinki (#0003881).
curl detection, added checks to see if curl actually works (print out a
clear curl error during configure, instead of getting an error during
'make'), and we now error when using --enable-libcurl without
--with-system-cares if the system curl depends on c-ares. This is because
this can cause ABI incompatability between curl's c-ares and our c-ares,
which leads to odd issues such as:
Could not resolve host: www.example.net (Successful completion)
And possibly other weird issues, perhaps even crashes.
it to 'no', the default is 'yes' (on). Requested by Robin (#0003885) as
UHNAMES may increase the time of the nick list being loaded from 1 to 4
seconds when joining several channels with more than 1000 users. As this
problem is only present on some networks, we keep UHNAMES enabled by
default.
descriptors. Because of this, Unreal did not restart properly as you would
get an "Address already in use" error. This only seemed to happen when
logging to syslog, or when there was something wrong with syslogd.
Reported by Mouse (#0003882).
descriptors. Because of this, Unreal did not restart properly as you would
get an "Address already in use" error. This only seemed to happen when
logging to syslog.
- Fixed a similar issue with syslog (and debugmode) and closing fd's as well:
the first port we listened on would not open up, ircd did not log any error.
- Made ./Config description about remote includes a bit more clear.
- When you now answer Yes to Remote includes in ./Config and $HOME/curl does
not exist, it now asks you if you want to automatically download and
install curl (which is done by ./curlinstall).
This has been tested on Linux, further testing on f.e. FreeBSD is
required.
- Server protocol: added PROTOCTL EATH=servername, which allows us to
authenticate the server very early in the handshake process. That way,
certain commands and PROTOCTL tokens can 'trust' the server.
See doc/technical/protoctl.txt for details.
- Server protocol: between new Unreal servers we now do the handshake a
little bit different, so it waits with sending the SERVER command until
the first PROTOCTL is received. Needed for next.
- Server protocol: added PROTOCTL SERVERS=1,2,3,4,etc by which a server can
inform the other server which servers (server numeric, actually) it has
linked. See doc/technical/protoctl.txt and next for details.
- When our server was trying to link to some server, and at the same time
another server was also trying to link with us, this would lead to a
server collision: the server would link (twice) ok at first, but then a
second later or so both would quit with 'Server Exists' with quite some
mess as a result. This isn't unique to Unreal, btw.
This happened more often when you had a low connfreq in your link blocks
(aka: quick reconnects), or had multiple hubs on autoconnect (with same
connfreq), or when you (re)started all servers at the same time.
This should now be solved by a new server handshake design, which detects
this race condition and solves it by closing one of the two (or more)
connections to avoid the issue.
This also means that it should now be safe to have multiple hubs with low
connfreq's (eg: 10s) without risking that your network falls apart.
This new server handshake (protocol updates, etc) was actually quite some
work, especially for something that only happened sporadically. I felt it
was needed though, because (re)linking stability is extremely important.
This new feature/design/fix requires extensive testing.
This feature can be disabled by: set { new-linking-protocol 0; };
having to use a special SSL-only port, they can simply switch to SSL on
any port. This is currently only supported by few clients (such as KVIrc 4).
This functionality can be disabled by setting set::ssl::options::no-starttls,
for example if you don't want to offer SSL to your users and only want it
to be used for server to server links.
Naturally, the IRCd must be compiled with SSL support for STARTTLS to work.
- Fixed SSL_ERROR_WANT_READ in IRCd_ssl_write()
such as ~q:~c:#test to only silence users on #test, for example. This feature
is enabled by default, but can be disabled during ./Config -advanced. Module
support for this feature must note the following:
- For is_ok function, the extban can either assign extban_is_ok_nuh_extban, which
will deal checking a chained extban (including checking for restricted extbans),
or it can call that function from its own is_ok routine. For the latter case,
remember to pass only the mask part of your ban format (ie, don't just pass para as
otherwise it'll just call your is_ok again).
- For conv_param function, the extban can either assign extban_conv_param_nuh_or_extban,
which will automatically call conv_param for a chained extban, or pretty up a n!u@h mask.
- For is_banned, the extban should call ban_check_mask with the mask part of the parameter.
This will automatically call is_banned for a stacked extban, or match against a n!u@h. n!u@h
is checked against the current user (ie, with the info in the globals ban_ip, etc), so things
can get weird if you call this outside a normal ban check.
Modules must keep in mind that chained extban support is not available (and neither are the three
functions above) if DISABLE_STACKED_EXTBANS is #defined (this is controled by Config). Modules will
not compile/load if they try to use them anyway.
This change should not break extban modules, and should need some more extensive testing.
- Misc fix for disabling extban chains, should've done stuff in our autoconf
stuff instead of hacking configure directly :P .
load (for example when the webserver is down), then the most recent
version of that remote include will be used, and the ircd will still boot
and be able to rehash. Even though this is quite a simple feature, it
can make a key difference when deciding to roll out remote includes on
your network. Previously, servers would be unable to boot or rehash when
the webserver was down, which would be a big problem (often unacceptable).
The latest version of fetched urls are cached in the cache/ directory as
cache/<md5 hash of url>.
Obviously, if there's no 'latest version' and an url fails, the ircd will
still not be able to boot. This would be the case if you added or changed
the path of a remote include and it's trying to fetch it for the first time.
To disable this new behavior, check out REMOTEINC_SPECIALCACHE in
include/config.h.
(HOOKTYPE_PACKET). Replacing the 'text to be sent' to a client is
supported, which allows character(set) conversion in a module.
Note that modifying an incoming message by the hook is not supported.
from not binding to that ip when linking, to not being able to link at
all. Also fixed a very small memory leak upon /REHASH. Bug reported by
Mr_Smoke (#0003858).
timesynch) made autoconnect not work for the duration of the offset
(eg: -60 would make autoconnect wait 60 seconds after boot, instead of
autoconnecting almost immediately). Reported by aragon (#0003853).
* And force the use of at least the version shipped with Unreal
* (or at least one without known security issues).
*/
this text is fcked btw.. whatever...
printed out as a warning, when in fact it's an error (and was treated as
such). Same for ZIP on non-zip compile. Reported by Stealth (#0003833).
..& updated credits..
- When pkg-config is present but does not recognize --static, use
default c-ares library options.
- Set default c-ares library options to -lcares on FreeBSD and others.
Set to -lcares -lrt on Linux (previously was -lcares -lrt for all).
Thanks to goldenwolf for the bugreport (#0003803) and providing a test-
shell to trace this issue down.
such as 3 connections per 60 seconds. Previously that could result in 3
per 90 seconds due to timer inaccuracy, now max 65 seconds (max 5s
inaccuracy).
In the IRCd world correct time is very important. This means that time
should be correct when the IRCd is booted, either by running ntpd/ntpdate
on the system or some other synchronization software, or by using the
built-in timesync feature.
Whenever the clock is adjusted for more than a few seconds AFTER the IRCd
has booted, it can lead to dangerous effects ranging from unfair
timestamps
for nicks and channels (and hence the possibility to takeover channels),
to even completely stalling the IRCd (negative timeshift) or making it so
nobody can connect anymore due to throttling (positive timeshift).
We now try to 'fix' the worst effects such as the IRCd freeze and
throttling. This does not fix the whole problem, so I've added some big
warnings when the clock is adjusted, including an annoying one every 5
minutes if the clock was set backwards, until the time is OK again
(catches up with the original time).
This fixes#0003230 reported by Stealth, and #0002521 reported by durrie.
set::spamfilter::slowdetect-fatal, set::ssl::server-cipher-list,
set::ssl::renegotiate-bytes, set::ssl::renegotiate-timeout,
set::watch-away-notification and ./unreal gencloak. Reported by Bock
(#0003764).
- set::ssl::renegotiate-bytes: fix when specifying a value such as 10m.
- './unreal gencloak' now actually works
- Fix typo in user mode q notice, reported by Strawberry_Kittens and others
(#0003761).
- Possible fix for MAC OS X compile problem - UNCONFIRMED.
(NickServ client, NULL if not present). You can return 1 (HOOK_DENY) to
make the IRCd not send IDENTIFY to NickServ. Suggested by tabrisnet
(#0003739).
(sorry, previous half-commit to src/modules/m_nick.c was accidental)
- Win32: Made UnrealIRCd run as a service under non-privileged accounts
(ones that do not belong to the Administrator group). Reported by
skyflash, Bock, zer, etc... Thanks to BuHHunyx for some hints on how to
fix this.
server.
Should never happen except when using faulty services or when something
else
got horrible wrong (like a date which is 40 years ahead). Reported by
Darth Android (#0003738).
don't support this and will fail to compile UnrealIRCd. This fixes#3680,
reported by therock247uk.
- Upgraded c-ares to 1.6.0 (also now using pkg-config).
If you get a "undefined reference to `clock_gettime'" error, then you
might consider installing 'pkg-config' on your system, and then simply
re-run
./Config and make, should fix things.
__TODO__: win32 c-ares upgrade to 1.6.0 (and copy & fix header files).
__TODO__: testing! testing! i'd like to be sure this c-ares is stable!
'uname -a' at compile time. This fixes bug #1438 and #3320 reported by
Mouse and Monk, where because of previous behavior the IRCd sometimes
would not compile in certain environments.
'error setting max fd's to 9223372036854775807' which prevents the ircd
from booting up. Reported by btcentral and Bock. This hack might not be
totally correct though ;).
each time it executes, how LONG it takes to execute. When a certain
threshold
is reached the IRCd will warn or even remove the spamfilter. This will
prevent
a spamfilter (regex) from slowing down the IRCd too much, though it's
still not
a guarantee that it will never go to a halt (eg: in case it takes several
minutes to execute a regex or loops forever).
Warning can be configured via set::spamfilter::slowdetect-warn (default:
250 milliseconds) and automatic deletion of spamfilters if it takes too
long is set through set::spamfilter::slowdetect-fatal (default: 500 ms).
NOTE: slow spamfilter detection is currently not available on Windows.
NOTE 2: to disable slow detection you can set the warn and fatal settings
to 0 (zero). OR to really disable all code, remove SPAMFILTER_DETECTSLOW
from include/config.h and recompile.
This new feature (away notify) is announced in 005 (ISUPPORT) as: WATCHOPTS=A
Format is: WATCH A +UserOne +UserTwo
New numerics to cope with away notification in WATCH are:
RPL_NOWISAWAY: to indicate the user is away _when adding_ it to WATCH list
RPL_GONEAWAY: user was not away, but is now
RPL_NOTAWAY: user was away, but is no longer away
RPL_NOWISAWAY: user was away, and still is, but the reason changed
Example:
WATCH A +Target
Request to add user 'Target' to the watch list with away notification
:maintest.test.net 609 MySelf Target ~blih test.testnet 1204309588 :not here atm
Reply to watch add: user is online and away, reason is provided
:maintest.test.net 599 MySelf Target ~blih test.testnet 1204309588 :is no longer away
User is back (no longer away)
:maintest.test.net 598 MySelf Target ~blih test.testnet 1204309722 :lunch
State change: user is now away, reason is provided
:maintest.test.net 597 MySelf Target ~blih test.testnet 1204309738 :shopping, bbl
User is still away, but reason changed.
The syntax for each numeric is:
<nickname> <username> <hostname> <awaysince> :<away reason>
In case of 599 (RPL_NOTAWAY) it is:
<nickname> <username> <hostname> <awaysince> :is no longer away
For the record, this is all based on a draft from codemastr from 2004, which was
implemented in Unreal3.3 (devel branch) in 2006. Today, in 2008 it was updated
with away reason support and backported to Unreal3.2. Because away notification
hasn't been used until now (due to it only being in Unreal3.3) we felt it was
safe to break some numerics.
now set a ban on *!*@*h.com and then later add one on *!*@*blah.com
without
any trouble. Previously the second one was rejected due to the former
already matching it. To change it back edit the include/config.h setting
SOCALLEDSMARTBANNING.
reported by Monk (#0003453). It should be large enough now. Also changed the
way we deal with this when it happens (if it ever happens again..): we now
close the server connection, instead of trying to continue, because continueing
is too dangerous.
trying to read unrealircd.conf. All due to strange chmod() behavior. We now no
longer try to set permissions on Mac OS X. Patch provided by Tibby (#3489).
properly (..again..), this was previously reported by pv2b.
- CGI:IRC + IPv6: Fixed issue where all cgiirc ipv4 clients were rejected with
the message 'Invalid IP address', reported by stskeeps (#0003311), nate
(#0003533) and others.
'::ffff:1.2.3.4' ips in the conf, they are now auto-converted to that).
Based on patch from tabrisnet.
- Fixed issue where the cgiirc block did not work with IPv6, reported by
djGrrr, fixed by previous change.
defines IRC_USER, IRC_GROUP which is a string specifiying what user name/
group name that should be changed into, instead of a hardcoded gid/uid.
This should make it easier for packaged binary releases to work (even
though this probably means Debian will take us in, ick .. Can't we pull
a new fight with debian-legal again?)
- #0003363 patched by adrianp, changing IRC_UID and IRC_GID into
defines IRC_USER, IRC_GROUP which is a string specifiying what user name/
group name that should be changed into, instead of a hardcoded gid/uid.
This should make it easier for packaged binary releases to work (even
though this probably means Debian will take us in, ick .. Can't we pull
a new fight with debian-legal again?)
- Retranslated the whole CDIR section (3.15)
- According to http://forditas.fsf.hu/html/node3.html the Hungarian expression for 'Internet Service Provider' should be written with a hypen (all occurrences fixed).
will be backwards compatible as well, SJOIN doesn't care (TM) and mode
doesn't either in case of a server sending it. So this will be just a
client protocol modification.
when trying to /connect to a server with wildcards (* and ?) in the link
block. We also raise an error if link::options::autoconnect is used
together with wildcards in hostname.
will now attempt to accept() up to LISTEN_SIZE (possibly saving CPU
through this under load, and speeding up connection).
- IRCd now also sets the &me fd as being non blocking (wasn't before, that
was odd..)
file descriptors being leaked upon every /REHASH.
So if you, for example, had 3 modules loaded and rehashed 30 times, it would cause
the ircd to consume 60 useless file descriptors (which often means 60 less file
descriptors being available to clients).
new commands SVSNOLAG/SVS2NOLAG (syntax: SVSNOLAG [+|-] NickName). Obviously, care
should be taken when giving such access to a user since he/she will be able to flood
at full speed and could possibly take down the entire IRCd (well, everyone on it).
Suggested by avb, coded by djGrrr.
- Made SAPART work for mulitple channels, just like SAJOIN. Reported by Snake and
SeigHart, patch provided by Bock (#0003064). This also fixes SAPART now being
announced to all opers globally, just like SAJOIN.
- Improved description of link::hub/leaf/leafdepth in unreal32docs.html reported by Bugz (#2623),
also fixed typo (leafdepth, not leaf-depth), reported by monas (#3083).
- Fixed bug where omitting class::connfreq would result in a huge connection attempt
flood when autoconnect was enabled. We now set class::connfreq to 60 if it's not
specified. Reported by Milliways (#0003018).
error, reported by Bock (#0003114).
- Added information about extbans to help.conf (/HELPOP ?EXTBANS). Patch from Bock
(#0003113).
- Made SAPART work for mulitple channels, just like SAJOIN. Patch provided by Bock
(#0003064). This also fixes SAPART now being announced to all opers globally, just
like SAJOIN.
- Finally fixed /RESTART issue on windows for good, should now always restart correctly.
Patch provided by BuHHunyx and Bock (#0002734).
- Fixed set::dns::bind-ip directive seen as duplicate, reported by aegis (#0003074).
- set::dns::* block is now no longer mandatory. All info has always been read from
/etc/resolv.conf (*NIX) or the registry (Win32), and the set::dns block is ignored
(except for set::dns::bind-ip, but that's a special case). Suggested by many including
djGrrr to make things slightly more logical (#0003019).
- As a consequence of the above, set::dns blocks were removed from doc/example*conf.
- Added two more characters to Catalan charset, reported by rmh (#0002995).
- Added set::pingpong-warning [yes|no] which decides whether to send the "** If you are
having problems connecting due to ping timeouts, please type /quote pong .." message
to each client when NOSPOOF is enabled (usually on Win32). The default is NO.
Previously this message was always sent if NOSPOOF was on, which often caused
confusion among users. The message was intended for non-confirming clients, but these
should be fixed by now, and those that were not fixed (self-made bots/etc) did often
not understand the message anyway. Anyway, you can still turn it on ;). (#2680).
user target string (nick!user@host:info), insteaf of doing it at like 5 places.
- Spamfilter target 'u' (user): the host field (nick!user@HOST:realname) is now escaped
with brackets if it's an IPv6 address, eg: blah!blah@[1:2:3:4:5:6:7:8]:hello, reported
by aquanight and others (#0003010).
instead of letting it magically reappear whenever +x is set. This means services can
now properly "unvhost" a user by sending a "SVSMODE User -x+x" (then any existing vhost
will be removed and user will have a cloaked host). Reported by avenger and others
(#0002933).
- Made Unreal use the original name in case of a CNAME, instead of the forwarded name,
reported by jerrcsnet (#0003054).
- The "looking up your hostname" message was always sent, regardless of show-connect-info.
though it always acted like it did in the MODE line sent to the channel. This bug caused
desynchs in some cases. Bug reported by Korfio (#0003048).
- Fixes to SVSNICK: case-change no longer causes a collision, don't return the value from
exit_client (which would be FLUSH_BUFFER), fix QUIT not being sent back on collision.
- Fix for above so it doesn't -r the client.
- Renamed unreal32docs.tk.html to unreal32docs.tr.html
- Module coders: Added HOOKTYPE_POST_SERVER_CONNECT (1 param: cptr) which is called when
a server connects, just like HOOTYPE_SERVER_CONNECT but this is actually called *after*
all clients and channels are synched. Obviously needed for some modules which must synch
data that refers to clients/channels that would otherwise not exist yet on the other side.
reported by Bock (as part of #2889).
- Fixed desynch problem with +Q, reported by tabrisnet (#0002992).
- Updated doc/coding-guidelines
- Added bugs.* url to /info, was still showing some email address.
including one reported by frigola on an old Sun Cobalt RAQ3.
It will probably also fix an issue with the just released curl 7.15.4, if compiling
with remote includes.
TODO: Update win32 (not urgent)
you do 'cd ..' and then 'cd -' again, make works just fine. This is going to be the most
stupid workaround in history... Reported by vonitsanet and others (#0002926).
- Fixed crash problem on win32 if TKL times were <0. Obviously it's hard to protect from such
invalid server traffic, but figured in this case it might be a good idea since *NIX does
not crash.
- Made a note about possessive quantifiers, they are scary :P.
+- Moved another 2K lines from core to modules, this means 31K lines are now in modules
+ and can be upgraded on the fly.
+- Real Command Aliases: This makes it possible to, for example, alias '/GLINEBOT' to
+ 'GLINE <param> 2d Bots are not permitted on this network, etcetc'. For more information,
+ see the docs on the alias block and/or search for "glinebot" in doc/example.conf.
added glinebot example @ real command aliases / updated description...
- Added 'real' aliases, this are aliases that map to real commands, so you can for example
map the command '/GLINEBOT <x>' to 'GLINE <x> 2d Bots are not allowed on this server, blabla'.
See the documentation on the alias block for more information. doc/example.conf contains an
example as well (search for "glinebot").
map the command '/BLAH 5' to 'NICK idiot5'. More info in docs on alias block.
- Modulized: badwords system (src/badwords.c is now gone) and StripColors/StripControlCodes
to m_message, multiple netsynch routines to m_server, send_list to m_list, a certain mode
routine to m_svsmode, all /MSG IRC.. webtv stuff to src/modules/webtv.c which is compiled
with m_message.
This means another ~1500 lines of code are now in modules (and thus can be upgraded on
the fly), which brings the total of modulized lines at 32K.
synchronize the IRCd clock (TSOffset) with a few good time servers. It currently only does
this on-boot, but it will hopefully help a lot of people with most of their time differences.
I still keep recommending anyone who can to run proper time-synchronization software such as
ntpd/ntpdate on their servers.
To disable time synchronization (eg: because you are already running ntp), you can simply
set set::timesynch::enabled to no.
The boot timeout for the timeserver response (=causes boot delay) can be configured via
set::timesynch::timeout and is set to 3 seconds by default (range is 1s-5s), there should
be no reason to change this.
The time server can be configured by setting set::timesynch::server, the default is to
use 3 time servers on 3 continents (US, EU, AU) which should be sufficient for anyone but
if you got a good one near you you can use that one instead.
The time protocol we use is (S)NTP v4.
this case ;p). Reported by KnAseN and many others (#0002581).
There might still be other operator count bugs, but these are triggered by a different bug
and may or may not be caused by services.
which basically means if it allows .*. If you want to require a parameter, use .+ (or
anything other in regex that requires at least one character). Suggested and patch provided
by Nazzy (#0002722).
far as we want to go with regards to relaxing "too broad" checking... Just continue to use
services AKILL for (other) "too broad cases", as many people (correctly) do. Change
suggested by salama (#0002911).
CALLBACKTYPE_CLOAK). This passes 'aClient *sptr, char *host' instead of only 'char *host'
to the cloaking module, which can be useful if you need to cloak on something other than
IP/host. Suggested by fez (#0002275).
Module may still provide only CALLBACKTYPE_CLOAK though, in fact this is what the official
cloaking module does. So no updating of cloaking modules needed.
A side-effect of this "extra cloaking" callback is that we needed to change make_virthost()
which now has an extra parameter in front, and another side-effect is that calling the
CALLBACKTYPE_CLOAK may not work since only *_EX might be available. To my knowledge there
are very few modules (only 1 I know) that will have a problem due to this, so sounds like
an affordable tradeoff.
some more odd problems from people (eg: people switching from GCC 3.x to 4.x and wondering
why they are crashing or getting other errors).
** actually, this was already comitted, but forgot to commit Changes :p **
a lot of crashes. Both are now fixed. Reported by Zell, Yamake, and others (#2875, #2704).
Fix provided by Xuefer. This also gets rid of some annoying and useless compile warnings
as well.
- When checking if a user is banned, we always check the cloakhost too. Previously we could
not do this if the user had a /VHOST (=a minority of the cases, but still...). In short,
this is some extra protection to combat ban evasion.
- Performance of is_banned() *slightly* improved (just 1-2 usec, but 7 usec if no bans).
- [Module coders] For extban routines, we now offer a routine extban_is_banned_helper(buf)
which can be used instead of the ban_realhost/etc static chars stuff, see
extban_modeq_is_banned for a (real-life) example of how this is used.
- [Services coders!] Added PROTOCTL CLK (requires NICKv2) which adds an extra field in the
NICK command (when a user connects) right before the infofield (gecos).
The added field contains the cloaked host, that is: the masked host if +x would have been
set. This field is ALWAYS sent, regardless of whether the user is actually +x or not.
Services can then store this field in memory, to know the host of the user if the user
is set +x (+x-t). This is a (better) alternative to PROTOCTL VHP, with no race conditions,
and avoids some other VHP problems.
VHP will stay supported though... so it's not mandatory to switch over.
- c-ares (currently, a forked off version) enhancements:
- '/quote dns i' now shows the nameserver settings (which is taken from /etc/resolv.conf
on *NIX, and from the registry on Windows)
- We no longer depend on a C++ compiler (was useless c-ares dependency caused by libtool)
- '/REHASH -dns' now rereads the resolver data from resolv.conf/registry, no IRCd restart
needed anymore. It's currently kinda experimental however, but I *think* it will work ok.
Unfortunately the above features required some ugly hacks if curl was enabled, so if you
use curl (Remote includes), feel free to test on your OS (Linux, but especially FreeBSD
and the other *NIXes) to see if things still compile (make clean; ./Config && make).
- '/quote dns i' now shows the nameserver settings (which is taken from /etc/resolv.conf
on *NIX, and from the registry on Windows)
- We no longer depend on a C++ compiler (was useless c-ares dependency caused by libtool)
- '/REHASH -dns' now rereads the resolver data from resolv.conf/registry, no IRCd restart
needed anymore. It's currently kinda experimental however, but I *think* it will work ok.
Unfortunately the above features required some ugly hacks if curl was enabled, so if you
use curl (Remote includes), feel free to test on your OS (Linux, but especially FreeBSD
and the other *NIXes) to see if things still compile (make clean; ./Config && make).
clients support it now (mIRC, xchat, epic, eggdrop, Klient, PJIRC, irssi, CGI:IRC, etc).
It has always been weird that win32 had it ON by default and *NIX OFF, anyway.
Naturally this change will be mentioned clearly in next release notes.
clients connecting trough a CGI:IRC gateway that is in cgiirc { }. This might also fix a bug
where (g)zlines were not applied to CGI:IRC clients, reported by devil (#0002850).
- Rephrased/editted part of example.conf and unreal32docs to make it a littttttle bit easier
for beginners / try to mention the FAQ a bit more explicitly.
- Modulized NAMES command (can now be upgraded on the fly, if ever needed).
- Added NAMESX support, seeing both mIRC (5.17) and XChat support this. What this does is
send all rights of all users on the channel in the NAMES reply (eg: @+Syzop if the user is +ov)
instead of only the highest one (@Syzop in previous example). We only do so if the client
explicitly requested this via a NAMESX in a PROTOCTL message (eg: 'PROTOCTL NAMESX').
Note that there is a glitch: since most clients only send the PROTOCTL NAMESX after they
see NAMESX listed in the 005 announce message this has the effect that if there are
set::auto-join channels present (where users are automatically joined to by the server) the
extended NAMES reply will not be sent for those channels, because from the IRC server' point
of view the join happened before the PROTOCTL and hence it does not know the client wanted
NAMESX at that point (the result is not catastrophic: the old-style NAMES is sent for those
channels). Anyway, for all non-autojoin channels this works great. So still worth adding IMO.
Originally suggested in #0000606.
Side note: this does not mean we dropped the idea of (also) having a challenge-response
system for good ;).
We now support the webirc ('webirc_password' in CGI:IRC) method, which is kinda superior
to the older method ('realhost_as_password').
See the Unreal documentation (section '4.36 - Cgiirc Block') for details on how to configure.
- Changed quoting color in unreal32docs.. looks better now IMO (only English docs updated).
"trusted" and the IRCd will show the users' _real_ host/ip everywhere on IRC, instead of the
_CGI:IRC-gateway_ host/ip.
To do so you must set 'realhost_as_password' to 1 in your cgiirc.conf. And add the
CGI:IRC gateway(s) you fully trust to set::cgiirc::hosts.
means no longer weird issues with +b *\* etc not banning nicks with \ in it.
ExtBan ~c/~r get special treatment and will use our match_esc [match with escaping]
routine, that way you can ban channels such as "#f*ck" via "+b ~c:#f\*ck".
Fix triggered by bugreport of vonitsanet (#0002782).
the switchover we were accidently using different ones which caused funny kill messages
like "You were killed by a.b.c (a!a.b.c (SOMENICK[N\A](?) <- d.e.f))." This also broke
some bans in pre2/rc1. Bug reported by HERZ (#0002772).
contains the (root) certificates of most major Certificate Authorities. It is basically
the default curl ca-bundle.crt plus cacert's certificates.
The 'curl-ca-bundle.crt' will be copied to the installation dir if needed.
It will from now on be used by Unreal for all remote includes (curl) related certificates.
If you want to use https but don't want to buy a certificate, we suggest you to apply for
a free certificate at CACert (www.CACert.org). Or, alternatively, add your own certificate
(PEM encoded) to curl-ca-bundle.crt, see 'SSLCERTS' in the curl package for more info.
but is actually understandable and has less bugs. This fixes +b ~c:#c\*t not properly
matching #c*t, reported by Jason (#0002752). Initial results look good, but this needs
some good testing ;).
- Updated unrealinst.iss: made it easier for me to have 2 curl versions, this is so we can
ship the SSL version of unreal with a curl that supports SSL (https, etc).
- Preperations for pre-1 (version change, etc)
- Changed the default maxbanlength from 1K to 2K, which means people can set more bans because
in pracitce the 60 (maxbans) limit was never met because the maxbanlimit was set so low.
set::maxbans in the configfile, note that you probably also want to enlarge set::maxbanlength
as well (see docs) or else you will hit that limit first.
- Changed the default maxbanlength from 1K to 2K, which in practice will mean people can set
a lot more bans since in practice the 60 (maxbans) limit was never met because the
maxbanlimit was set so low.
an error, since specifying usermask should not be done and is useless, since a (G)ZLINE
takes place BEFORE ident lookups.
- Did the same for /(G)ZLINE *@hostmask (should be *@ipmask), this already was a warning
in 3.2.3, and is an error now in 3.2.4.
- Redid some net synching code to make it more efficient (#2716).
- Fixed spamfilter crash problem: the action 'viruschan' is now no longer incompatible
with target 'user'. Reported by Monk (#0002570).
oper privileges on quarantined servers will be instantly killed. Bit ugly perhaps, but
then it actually does what it should (prevent opers on quarantine from getting GLOBAL
oper privileges). This "fixes" #2510, #2163 and #1968.
[forgot docs commit]
oper privileges on quarantined servers will be instantly killed. Bit ugly perhaps, but
then it actually does what it should (prevent opers on quarantine from getting GLOBAL
oper privileges). This "fixes" #2510, #2163 and #1968.
- Made ./Config better react to errors (no longer print a "everything is a big success"
kind of message when in fact everything went wrong).
- Made ./Config (configure) exit on openssl or zlib not found errors, instead of
silently continueing and then causing trouble later on. Also now printing _a bit_
more helpful error message.
you have to put 'spamfilter yes;' in every alias block you want to get filtered.
This is so you can have for example /MS filtered (due to heavy spam), while keeping
/NS and /CS unfiltered. Reported by Homer (#0002496).
- The memoserv aliases (/MS and /MEMOSERV) now have spamfiltering enabled by default.
in the function, reported by Robby22 (#0002696).
- Fixed set::static-part set to 'no' not working properly. Reported by Robby22 (#0002698).
- Fixed crash in new resolver, reported by firstof9.
unreal version that the user is using. I presume this can be helpful (although nobody ever
suggested it ;p). The macros (#define's) are:
UNREAL_VERSION_GENERATION The generation version number eg: 3 for 3.2.4
UNREAL_VERSION_MAJOR The major version number eg: 2 for 3.2.4
UNREAL_VERSION_MINOR The minor version number eg: 4 for 3.2.4
This can be negative for unstable,
alpha and beta versions.
UNREAL_VERSION_TIME Year + week of the day (starting eg: 200541
on Monday), this is updated on
the CVS server every week.
The first 3 are for nicely identifiying the version, the 4th can be useful in case
you want to support CVS and/or want some more control.
Reported by Trocotronic (#0002659).
- Fixed a problem with entries in the hosts file (such as, usually, localhost), this would
cause an unresolved host and a 30s delay for the user, even though resolving succeeded.
This should get rid of some annoying untracable (and usually rare) crashbugs in the
old resolver. Besides that, it makes things look more clean and understandable.
This should be the fix for the following bugids (all the same issue): #2499, #2551, #2558,
#2559, #2603, #2642, #2502, #2501, #2618, #2616.
Feedback and testing is very much welcomed (syzop@unrealircd.com).
generated (for linkage by commands.so), are now used to generate the .so files of the
individual modules as well (eg: m_setname.o -link-> m_setname.so). This reduces compile
time ('make') on my machine by 33%, so it's quite noticable ;).
It also sends a numeric to the user saying the command has been processed, but a copy
has been sent to ircops. I feel this is a good idea for privacy reasons (anti-spy),
though I don't know how users will react to this. If you are using this on your network
and get users bothering you about it (or before that ;p), it's probably a good idea
to explain it somewhere on your site or FAQ :).
Example usage:
/spamfilter add p warn - Testing_mirc_decode_filter \$decode\(.*\)
[WARNING] The numeric text is likely to change in the next few weeks (early-cvs-commit).
- If a class block was removed and any other blocks would be referencing the class block
(such as: allow::class, oper::class, link::class), then this would cause a crash.
Reported by Mike_ (#0002646).
- CMDLINE_CONFIG behavior change: command line configuration is now still permitted
if #undef'ed (which is the default) if uid==euid && gid==egid, since it doesn't make
any sense to disable it then and is in fact just plain annoying.
- Added FAKELAG_CONFIGURABLE option in include/config.h, this enables an option called
class::options::nofakelag, which disables "fake lag" for a certain class (that is:
the artificial delay introduced by the ircd to prevent flooding is turned off,
allowing the user to flood at full speed).
IT'S USE IS DISCOURAGED UNLESS YOU REALLY KNOW WHAT YOU ARE DOING.
Sorry, option is not in ./Config -advanced since I don't get autoconf working, but it's
such a scary option that this might as well be a good idea to keep in config.h anyway.
This feature has been suggested for several years (and refused), but the final
suggestion (with implementation specific hints) came from Gilou in bug #0002207.
- changed a comment slightly in m_tkl.c to get rid of harmless warning ;)
a spamfilter, but cannot remove it" problems. In practice this means - depending on the
length of your spamfilter reason - regexes will be max ~300 characters.
Spamfilters set in the .conf can be slightly longer (which still causes them to be
truncated in '/stats f', but they don't have to be removed anyway so it's kinda
acceptable if it's really needed). This should fix bug #2083, reported by White_Magic.
'u' (user) target can cause severe problems (crashes, etc). For now, we have disabled
'viruschan' in combination with 'u'. A real fix will require quite some work, sorry.
escape them like in all bans (eg: to ban #* you need to +b ~c:#\*). As an additional
bonus, real wildcards are now accepted and processed (eg: +b ~c:#*sex*, just don't
forget to specify the #). Reported by PhantasyX (#2605).
- Sidenote on above: ~c:*chan* is not supported (use ~c:#*chan* instead) because it would
cause "hidden bans", therefore it now prints a message (which is useful anyway), but
does accept such remote bans. In 3.2.5 or so we could enable support for it, it's
not that important though... ;)
- Added ifdefs for mass closing of file descriptors on start, can now be disabled by
adding -DNOCLOSEFD as a compile option. Useful for valgrind w/--db-attach=yes, mpatrol,
and some other debugging tools (not useful for anyone normally running a server).
- Fixed a read-after-free: sptr->serv->aconf was freed but not NULL'ed in exit_client,
causing close_connection to read from it (when deciding on doing a quick reconnect).
Could have caused a crash, although nobody ever reported one...
- Removed useless strncpyzt with dest==src.
- Added -fno-strict-aliasing.. this might well be temporary, but we get tons of strict-
aliasing warnings, so it sounds good to disable this type of optimization for now.
and 2000 lines total that can be hotfixed if needed ;). The effort involved in moving all
this sucks a lot though :/. This might need some more testing to make sure it doesn't break
anything.
- Updated support OS list in documentation.
whenever a server is added to a network it has a lot of power that cannot simply be controlled
by things like unsetting operflags remotely or anything else. I don't want to encourage
anyone to use it.
- Redid include dependencies in Makefile, this makes things safer because on any .h change it
would force a recompile of all files, but it could mean things will be a bit slower for us
coders unless we tweak it later on.
- Changed whois a bit to print less useless results.
- Added several indicators to the "detect binary incompatible modules"-system such as detecting
of a ziplinks module on non-ziplinks (on windows this is ok however), nospoof module on a
a server without nospoof server, etc. Hopefully this will help some people preventing odd
crashes because they did not recompile or (re)install modules properly.
- Added './unreal backtrace', so far this has only been tested on Linux and FreeBSD.
- Fixed a bug making ./Config not load the previously stored settings on Solaris 10 and
probably other Unixes, reported by lion-o (#0002474).
system accept more characters. Basically what this means is that the (fast) badwords
system can now be used to properly block words with accents and things like that, just
the way you block English words. Bug reported by MJ12Helios (#0002311).
- Opers with can_override can now +qa/-qa even if they are not netadmins,
and they can also (un)set L/u.
- Fixed several SAMODE bugs, such as not completely working for non-netadmins and
not working if you were halfop'ed, etc.
Bugs reported by pak, aquanight, niphler, Bugz, and more.
If there are still any bugs left, please report them on http://bugs.unrealircd.org/
NOTE: some of these enhancements will produce desynchs if your net is not 100%
on current CVS / Unreal3.2.3 and an oper tries to use these 'new features'.
So use with care on mixed-version nets.
- Added 'czech-w1250' and 'slovak-w1250' (both might miss a few characters).
- Added 'windows-1250' group which contains czech-w1250, slovak-w1250, polish-w1250
and hungarian.
- Hungarian characters show both fine in w1250 and latin2, hence hungarian is included
both in 'windows-1250' and 'latin2'.
- Fixed bug: polish was not included in latin2
- If a locop now has can_override/can_gkline/can_gzline we will print out a warning and
convert it to globops. This is also what we always did for can_globalroute/can_gkill
(well, except the warning). Giving such NETWORK (GLOBAL) privileges to a LOCAL operator
does not make any sense and is therefore no longer allowed.
by Ron2K (#Ron2K).
- Module coders: using extcmode_default_requirechop is now depricated, check src/extcmodes.c
ctrl+f extcmode_default_requirechop for more details (solution: copy+paste & fill in modechar).
reported by seneces (#0002333).
- Fixed doc bug reported by Dukat (#0002374). Also fixed 2 error msgs related to
the nickchars system printing out incorrect set:: directives.
- spamfilter.conf and dccallow.conf are now also copied upon make install, reported by
TommyTheKid (#0002313).
- Build in some additional checks (especially for Chinese).
- Fixed a bug in chinese character range (affecting 3.2*)
- Relaxed nick character checking from remote servers (rely on NICKCHARS= PROTOCTL
to deal with problems). This is useful to prevent any kills in case we slightly
change the characters that are allowed in a language.
- Got rid of 'latin7', tiny mistake ;)
- Removed e' accent from German (used in borrow-words only), reported by Dukat.
- Added 'swiss-german', which is just German without es-zett, reported by Dukat.
- Added 'turkish', supplied by Ayberk Yancatoral.
If 2 servers try to link and the allowed nick characters do not fully match, then
the link will be rejected. Note that this will not prevent you from 3.2.2<->3.2.3/CVS
charsets mistakes, but only with linking CVS/3.2.3+ servers. Suggested by Troco (#0002360)
This might need some additional testing, but initial results are positive :).
- Renamed 'euro-west' to 'latin1' since that's more descriptive/fair ;)
- Added 'hungarian' [supplied by AngryWolf]
- Added category 'latin2': just Hungarian for now
- Added 'catalan' [supplied by Trocotronic]
- Added 'greek' [supplied by GSF]
- Added category 'latin7': alias for 'greek'
- Added category 'gbk': alias for 'chinese'
still cutoff if the nick is too long. Basically this is the same way as Hybrid does it
so it should work ok :).
- Added nick character system. This allows you to choose which (additional) characters
to allow in nicks via set::allowed-nickchars. See unreal32docs.html -> section 3.16
for a list of available languages and more info on how to use it.
Current list: dutch, french, german, italian, spanish, euro-west, chinese-trad,
chinese-simp, chinese-ja, chinese.
If you wonder why your language is not yet included or why a certain mistake is present,
then please understand that we are most likely not experienced (at all) in your language.
If you are a native of your language (or know the language well), and your language
is not included yet or you have some corrections, then contact syzop@vulnscan.org or
report it as a bug on http://bugs.unrealircd.org/
- If no log { } block is present a warning will be printed out and we will fallback
to a default of logging errors to ircd.log. Suggested by w00t (#0002327).
check if the user is voiced/halfoped/etc.. Especially useful for +e ~c. Idea from
Bugz (#0002198). Obviously all servers need to be upgraded to make this work.
throttle the number of joins per-user to X in Y seconds. Idea from Angrywolf (who
wrote a module that did this before). This might need some more testing :).
It's enabled by default but can be #undef'ed in include/config.h (line 449).
(perhaps this should be a different function?). Anyway, this means less diskspace
is needed (~1.5mb or more), and it also makes it a bit easier for RBAC (#2300).
- Made a new function DoMD5() which is ssl/non-ssl independent. Also made the cloaking
module and the auth functions use it. Hopefully I didn't break anything ;). Suggested
by Bugz (#2298).
- Modulized a lot of commands and related subfunctions: NICK (750 lines), USER (200),
MODE (2300), WATCH (250), JOIN (600), PART (250), MOTD (100), OPERMOTD (100),
BOTMOTD (100), LUSERS (100). More will follow soon (probably including more subfunctions
related to existing commands).
- [Module coders] Added new function: do_cmd(cptr, sptr, cmd, parc, parv) which is an
uniform method to call any other commands. For more info, see description in src/parcket.c.
This will be used for any further modulization of commands that need to call other
commands, like NICK (will be done soon).
translations.txt.
DEL: Unreal31_to_32.html & example.settings DUE TO outdated
MOD: Authors (added myself, updated griever end date), translations.txt (updated
to mention that it takes a lot of time, and added a note on using word/frontpage).
to send to normal users w/the snomask set.
- Fixed dcc filtering a bit more.
- Made usermode 'g' operonly since it didn't do much, reported by DukePyrolator (#0002024).
- Numeric audit: 15 small changes (int/long mismatches etc). This might have fixed some
bugs on architectures where 'long' and 'int' have different sizes (eg: opteron).
hardly ever seen (unless you have +s +j set). For example a bad link::bind-ip only caused
"Couldn't connect to xxxxxx" without any meaningful error message. Additionally, errors
sent to report_baderror() are now logged.
^^ way too long description for a small tweak :p
Gilou and Trankill for making me able to trace this issue down (#0002032).
- Fixed qline notices again: now gives msg #1 for local qlined-nick attempts, and
another msg in case of a remote client (eg: oper) using a qlined nick.
work just the same as the HOOKTYPE_LOCAL_* variants).
- Module coders: HOOKTYPE_REMOTE_CONNECT is now also called during net-merge. You can use
IsSynched(sptr->srvptr) to find out if it's called due to a net merge (0) or a connect (1).
- Added spamfiler 'user' (u) target. This regex is checked against nick!user@host:realname
when a user connects. This makes it easy to ban drones with simple patterns.
For example: '/spamfilter add u gzline 86400 Drone[0-9]+!.+@.+:Drone[0-9]'
would kill any drones that have both a nick and realname with 'Drone' followed by digits.
attacks (eg: rainbow) and prevents cracking of several passwords at once.
This change means /MKPASSWD will now just generate a different string than before.
Do note however, that the old syntax/encrypted passwords will still work and _will continue
to work_ in the future, for at least the whole 3.2* series.
If you are concerned with security and have some time, then converting your passwords
is probably a good idea... Just in case your configuration file gets stolen one day ;).
- MD5 password encryption is now always available on *NIX, even if SSL is disabled.
that you should pass the ZIP_LINKS etc options to 'nmake -f makefile.win32 custommodule'
many people didn't do this which caused odd problems when reading certain clientstructs.
Module coders: in the meantime, for 3.2.1 mods, use something like:
nmake -f makefile.win32 USE_ZIPLINKS=1 ZLIB_INC_DIR="c:\dev\zlib"
ZLIB_LIB_DIR="c:\dev\zlib\dll32" custommodule MODULEFILE=m_mymodule
For 3.2.2+ these additional parameters will no longer be needed (but wouldn't harm either).
weirdness, this also affected spamfilter (so any spamfilters added only at notice
and not at msg on windows would not work). Now using the real 'notice' parameter.
Also linked to a page with an unreal dev package which contains zlib+ssl+curl
precompiled. This basically means many people no longer need to compile zlib/ssl/curl
anymore themselves (which is a pain to do and takes a lot of time).
compiling modules and their (binary) compatability, zip links (zlib), ssl (OpenSSL)...
Remote includes (curl and c-ares) instructions still need to be added.
- Made 'Install as a service' unchecked by default, this should help beginners a lot.
/connect or autoconnect) and was not present in the cache. Reported and traced by sh0
(#0001976).
- Fixed compile bug at *NIX caused by ModuleGetErrorStr fix.
multiple reference count bugs, one related to sptr->serv->conf, and another one related
to sptr->serv->class. Both caused problems when someone did a /rehash when a server
was in the process of connecting (so it might also happen when connfreq was hit and you
did a /rehash). Original bug was reported by sh0 (#0001872).
- Updated example.conf: added all new flags we added in the example block, removed
old confusing comment on SEGV logging, config.h: ripped out lPATH since that define
isn't anywhere used and is only confusing.
because it's slightly faster (already replaced all of them in src/s_kline.c).
GetIP(acptr) will return the ip for local users and remote users that support NICKIP,
it returns NULL for remote users that are on non-NICKIP servers (or have non-NICKIP
servers along their path).
- internal: tkl_add_line now returns aTKline *
- Added some more hooks:
- HOOKTYPE_TKL_ADD [aClient *cptr, aClient *sptr, aTKline *tk]
- HOOKTYPE_TKL_DEL [aClient *cptr, aClient *sptr, aTKline *tk]
NOTE: 'NULL, NULL, tk' is used for *lines that are removed due to expiring
- HOOKTYPE_LOCAL_KILL [aClient *sptr, aClient *target, char *comment]
it will just accept it if it's from a remote server, and also ops/etc will be allowed
to REMOVE any unknown extbans (but not add new unknown ones).
- Added extended ban type ~n (nickchange ban), if a user matches this (s)he can not
change nicks (eg: +b ~n:*!*@*.aol.com) unless (s)he has voice or higher.
This can be useful as an overall measure for some +m chans (+b ~n:!*@*) or against
specific 'good' people that are just nickflooding due to a wrongly configured script.
- Added set::restrict-extendedbans by which you can disallow normal users to use
any extendedbans ("*") or disallow only certain ones (eg: "qc").
- Made the negative TS message a bit more annoying if time is off more than 10 seconds.
- Module coders: if CmdoverrideAdd() is called for an override that is already in place, it
now sets MODERR_EXISTS as errorcode and returns NULL (previously it added duplicates).
In the past module coders had many issues with PERM mods... you had to use weird tricks,
but now you can (and should!) just override on INIT and on HOOKTYPE_REHASH_COMPLETE.
- Moved register_user declaration to h.h, updated call in m_pingpong.c (due new 'ip' field).
- Usermode +v ('receive dcc send rejection notices') is oper-only now for privacy reasons.
- Added dcc allow { }, which allows one to make exceptions over deny dcc { }.
- Added deny dcc::soft and allow dcc::soft item, if set to 'yes' it allows someone
to explicitly override it per-person via /DCCALLOW (see next).
- Added DCCALLOW system, taken directly from bahamut.
With this system you can block certain (or all) DCC SENDs and then allow the user to
'override' this limit for every user he/she trusts via '/DCCALLOW +User'.
This is an attempt to stop (or at least limit) the spreading of viruses/etc.
See '/DCCALLOW HELP' for more info.
- Added example dccallow.conf which filters everything except some known
'safe types' (jpg, jpeg, png, gif, etc). Note that the purpose of this file
is NOT to get a complete list, rather to limit it to a few 'known safe' entries.
- Added set::maxdccallow: max number of entries of the DCCALLOW list (default: 10).
- Added release notes (no, we won't release 3.2.1 anytime soon.. just updating ;p).
- Added various extra messages to make it a bit more easier for people who are
upgrading (win32 commands.dll, cloaking mod).
- Made win32 ssl<->non-ssl modules binary compatible.
- Added ssl/non-ssl check in Mod_Version on *NIX.
- Added set::options::flat-map: This makes all servers look like they are linked
directly to the server you are on (/map, /links), thus you cannot see which server
is linked to which ("hopcount"). This can make it a bit harder for kiddies to find
any 'weak spots' (which server to attack/[D]DoS). Obviously opers will always
see the real map.
normal joins to the virus-help-channel. This way you could prevent users into
accidental (or tricked) joining of the virus-help-channel and becomming infected.
This feature is disabled by default. Requested by bleepy (#0001811).
- It now goes to <prefix> and higher, so '/notice +#chan hi!' goes to +vhoaq
- You need at least voice in order to be able to msg/notice +#chan, %#chan or @#chan
- You need at least ops in order to be able to msg/notice &#chan or ~#chan
- Any multi-prefix targets will be converted automatically (eg: ~&@#chan to @#chan).
- internal: use of the CHANOPPFX macro is now deprecated.
All of this was done to make it a bit more 'safe' and userfriendly (#0001812).
in a netjoin when there was no need to (nothing to synch).
- Added spamfilter::except which allows you to specify targets
(eg: channels) where spamfilter should not take action. Requested by Fury
(#0001586). Ex: set { spamfilter { except "#spamreport,#help"; }; };
- Improved 'viruschan' spamfilter target:
- better msg after the forced join
- +oaq's in set::spamfilter::virus-help-channel receive a notice about
which filter the user matched.
- it disables all commands except PONG, ADMIN, and msg/notices to
set::spamfilter::virus-help-channel.
- Made snomask +S also show the spamfilter reason field.
- Added class::pingfreq checking, should be 30-600 now.. else you might
get mysterious (mass) disconnect issues.
- Lol, I made /connect dissapear during modulizing ;).
- Fixed a few wrong macro's (ircstrdup/ircfree) in s_conf.c causing
very weird behavior... This also fixes a bug where set::spamfilter::ban-reason
would have the value of ban-time.
- Improved spamfilter again.
- The new syntax is:
/spamfilter [what] [type] [action] [tkltime] [reason] [regex]
[tkltime] specifies the duration of any *lines placed by this rule.
[reason] specifies the *line, kill and/or block reason.. no spaces
allowed, but '_' will be escaped to a space.
In both cases you can simply use '-' to skip and use the default.
Ex: /spamfilter add p block - - Come watch me on my webcam
/spamfilter add p gline 3h Please_go_to_www.viruscan.xx/
nicepage/virus=blah Come watch me on my webcam
- A message is now shown if the msg/notice/dcc is blocked.
- There are 2 new spamfilter action types:
'dccblock' will mark the user so (s)he's unable to send any files by DCC.
'viruschan' will part the user from all channels and join
set::spamfilter::virus-help-channel (default: #help).
this action might be improved to do more later.
- Internal: added EXTTKL PROTOCTL, this determinates if 10 parameters
instead of 8 are supported for m_tkl (used by spamfilter add).
This new system needs some testing... :)
value should now be one of EX_*:
EX_DENY : disallowed, except for oper override
EX_ALLOW : allowed
EX_ALWAYS_DENY : disallowed, even in case of operoverride (eg for
operlevel modes like +A).
Note that it's backward compatible since TRUE/EX_ALLOW=1 and FALSE/EX_DENY=0.
- Fixed a few bugs with oper override & extended chanmodes, for example
chanmode +T could not be set by a globop w/can_override and non-+hoaq.
by non-netadmin ircops in some (many) cases, reported by Zell (#0001541).
note: this fix is still "wrong", because the whole override/whatever
system is flawed ;p.
I worked on a few months ago... It tries to explain how to get a server/network
secured, what the potential risks are, etc... Of course security is a complex topic
so I cannot talk about everything in it, but I tried to mention the main risks and
what you can do about it in a (hopefully) simple and understandable language ;).
- Added snomasks 'S' (Spamfilter) which notifies you of any spamfilter matches.
- [internal] always return after spamfilter match, don't continue looping trough
targets list (eg in case of: /msg #a,#b,#c spamspam), otherwise you would get
duplicate notification msgs.
- Added SENDSNO server command, similar to SENDUMODE but for snomasks, this is
used by the spamfilter snomask (+S) so you get network-wide notifications.
- Added "compiled for.." versioning system, this way a beta17 module can't be loaded
on beta18, etc... People often forgot to recompile their modules or had old ones
somewhere by mistake, therefore crashing after upgrades... this should fix this
(in the future). Module coders don't have to do anything for making this work,
it's done automatically (via modules.h).
spamfilter::word to spamfilter::regex to make it even more clear (since we match
on the whole line and have nothing to do with words.. 'word' doesn't make sense).
- Updated docs with some better regex examples, reported by AngryWolf (#0001520).
called which might look a bit ugly, but is better than before (scattered on 3 places).
- Added snomasks 'N' which allows you to see nick changes of clients on other servers,
requested by several people (#0001323).
introduce throttling of other msgs (or making this configurable)... this is just
an exception because this msg is sent to _all opers_ and you cannot disable it by
unsetting certain snomasks. Anything lower than 15s would be bad anyway since this
is a very serious error condition. Requested by LoVeR (#0001412).
- Fixed 'no server notice on /restart or /die', reported by Lx (#0001062). This was caused
by a bug in flush_connections(&me), hopefully there won't be any side effects.
- Fixed file owner problems when IRC_UID/IRC_GID is used (eg: when running chrooted).
- Fixed crashbug if we were unable to write a remote include file to disk.
expire times, reason field, etc... Entries are now fully synced between servers.
Reported by Cnils (#0001448).
- Added umode +T to help.conf
- Fixed an issue with add/del/remove in /spamfilter being case sensitive.
"blind proxies" (like HTTP POST proxies).
- WebTV updates: made it so (user generated) channel notices are now displayed as
privmsgs in the channel. Also made the /knock channelnotice a privmsg for webtv.
random numbers. We will also no longer be using rand()/random() anywhere.
Thanks to dek\ for pointing out this is potentionally dangerous, especially on
win32 with NOSPOOF enabled.
integration now, no.. it doesn't work at all yet but most of the internal stuff
has now been done (but I temporarely need to work on other things now).
moved/added a lot of regex stuff, banaction/spamfilter helper functions, etc
into s_misc.c. [note: current code has some bugs but since the stuff isn't
used that's no problem... it's also a bit ugly, do NOT mail me about these things ;p]
- Enabled talk-trough-+M for opers (just like +m)
- Disabled talk-trough-+m/+M for opers if NO_OPEROVERRIDE is defined
- Display zlib/SSL version in /version (oper only)... will prolly be improved later.
- updated doc/compiling_win32.txt
Instead of 1 big list of *lines, it's now an array to easily distinct between types.
Also made tk->usermask static (USERLEN+2) instead of dynamic.
These changes should give enough speed improvement to make the new anti-spam/anti-ads
feature fast enough.
These bans look like ~<type>:<stuff>. Currently the following bans are available:
~q: quiet bans (ex: ~q:*!*@blah.blah.com). People matching these bans can join
but are unable to speak, unless they have +v or higher.
~c: channel bans (ex: ~c:#idiots). People in #idiots are unable to join the channel.
~r: gecos (realname) bans (ex: ~r:*Stupid_bot_script*). If the realname of a user
matches this then (s)he is unable to join.
NOTE: an underscore ('_') matches both a space (' ') and an underscore ('_'),
so this ban would match 'Stupid bot script v1.4'.
These bantypes can also be used in the channel exception list (+e).
+e ~r:*w00t* makes anyone with 'w00t' in their realname able to join,
and +e ~c:#admin makes anyone in #admin able to join, etc..
This system allows modules to add extended bantypes too.
This feature requires some additional testing, also the module interface will
probably be changed in the next few weeks, and perhaps more extended bans will
be added before next release.. we'll see...
If set to 'yes' or '1' it will strip all part comments,
if set to something else it will use that as a part comment.
- Partial cleanup of m_part (hopefully I didn't destroy anything).
- Minor stats compile warning fixed
with the same oper block. Suggested by kain.
- Made /dns oper-only (the ircd command, not your client /dns command :p).
- Various help.conf fixes. Reported by nukie (#0001373).
- Normal users can now get a list, versioninfo will be hidden however.
- Opers get some additional details like hooks and commandoverride's.
- Opers can use /module <servername> to get a remote list of loaded modules.
- Added flag [3RD] to show it's a 3rd party module
This was requested by by quite some people because serveradmins started to load
"spy modules" without clearly mentioning it in the MOTD (which is highly unethical
and in some countries even illegal due to privacy law). Also the remote module
list was requested by quite a few opers.
Sure, this isn't a 100% guarantee but at least if someone goes hiding stuff
then it's clear what their intentions are (and thus will be refused support, ..).
- Changed emailaddr in help window at windows to unreal-users mailinglist.
- Made the cloak mismatch msg during linking a bit more scary.
- Added comment to 'Install as a service' option in installer to help n00bs a bit.
this will currently produce a lot of warnings with -Wall.
- Fixed 159 of 184 warnings detected by the above, the other warnings are false.
Most warnings had to do with long vs int, and thus the format strings (%d->%ld)
or the vars (int->long) have been changed (many of these were time_t/TS vs int).
Only a few rare crashbugs were discovered.
- Module coders: for HOOKTYPE_LOCAL_CHANMODE the 'sendts' parameter was changed
from type 'int' to 'time_t', while in most circumstances (like on ia32)
you won't notice, I suggest you to update your callback functions anyway.
- Possibly fixed an issue with set::modes-on-join and mode +f, it could have
set random remove-chanmode times in the default chanmode line.
- Fixed two OperOverride kick bugs:
- If ircop is +h and victim is +h it would deny it, reported by Special (#0001308)
- Ircops (all except netadmin) had trouble kicking +q people, if the ircop isn't
op'ed he can kick them, but if he has +o he can't. Reported by Michi (#0001012).
If you use mixed unreal versions you can get desynch problems if you use those
fixed things (like kick a +h if you are +h) because older servers will still block
the kick. You will receive a 'You cannot kick channel' message from every older
server so you'll at least be notified ;p.
- Added 'action' field to ban version { } which can be: kill: kills the user (default),
tempshun: shun the specific connection only, kline/zline/gline/gzline/shun: place
a ban on *@IP. Time of those bans can be specified in set::ban-version-tkl-time.
It's up to the admin to take a good decision, sometimes zlines are best (=won't use
much sockets but will reconnect quite quickly), sometimes tempshun (=will use 1 socket
but generates nearly no network traffic), sometimes klines/glines, etc..
- Changed some useless stuff.
- Enabled EXTCMODE by default, I presume it's stable but can't promise anything.
- Module coders: changed 'allowed' callback function for umodes&snomasks,
from 'aClient *sptr' to 'aClient *sptr, int what'.
'what' will be MODE_ADD if trying to add and MODE_DEL if trying to remove.
- Added checks for /sethost&/chghost to same host.
- Added remove-chanmode-after-X-minutes in +f.
The format is +f [30j#R5]:15, where 5 is the "do -R after 5 minutes". For a default
action like +i you would have to do the same: +f [30j#i5]:15 (remove 'i' after 5 minutes).
Additionally, 2 config items are added:
- set::modef-default-unsettime, if this is set to for example '5' then things like
+f [30j]:15 will be transormed into +f [30j#i5]:15. It's just a default, the user can still
override it. By default this feature is not used.
- set::modef-max-unsettime, specifies the maximum amount of time for the <time> parameter,
by default this is set to 60 (=1 hour), the value should be between 0 and 255.
I didn't do the extended tests I usually do but it seems stable, also the docs are updated
but are probably updated again later to make it a bit more readable.
Feel free to report any bugs as soon as you discover them.
The only thing I could think of is: _usually_ only 1 server will have the -i/-R/.. timer
running, so if that server splits (or even worse dies) it will only be -i/-R/.. at that server
and when they sync back they merge chanmodes so +i/+R is set again.
I don't consider this a huge problem but maybe it can be inconveniently, if people have
a lot of trouble with this I'll have to consider a 50% recode of the +f system :/.
- (Just for the record, this audit has nothing to do with the ircnet buffer overflow,
unrealircd is not vulnerable)
- Various fixes
- Visual bug regarding +f & server synching, it was sometimes setting mode +f multiple
times depending on the ban-/userlist.
- Fixed a possible desynch regarding chmode +L.
- Fixed possible client confusion regarding bans.
==
- Allow o/a/q'd users to nickchange if banned (#0001150).
- Added badword all { }, this will add the badword to the badword channel, badword message
and badword quit lists... could be useful :p.
- Little config.h cleanup (removed obsolete non-working defines).
===
- Internal code cleanups: EOS var rename, got rid of old UnknownUser structs, moved
anti away flood to new flood struct.
- Changed away flood configuration to set::anti-flood::away-flood <count>:<period>.
- Added nickflood protection, can be set in set::anti-flood::away-flood <count>:<period>
to allow max 'count' nickchanges per 'period' seconds. The default is 3 per 60s.
As usual, the nickchange limiting does not apply to ircops.
- Updated example.conf with a more strict default oper-only-stats.
- Made '/stats S' and '/stats Z' oper only again (always).
- Hopefully fixed incoming/outgoing rate in /stats T. Only the stats of the first
listener was counted instead of the total. This also explains why on some (many?)
ircd configurations it always showed 0.00 kb/s and why HTM (high traffic mode)
was never kicking in.
- 005 CHANMODES= set back to original value before extcmode merge
- made some functions in channel.c non-static so module coders
can use them (they are not defined in the header files [yet] however).
- fixed 2 minor oob write issues
- Module coders: new hooks: part, kick, chanmode, topic. changed: quit (added 'comment' param).
- Enlarged REPORT_* vars a bit.
- IPv6: UnrealIRCd can now lookup ip6.arpa addresses too (original IRCnet patch modified for
UnrealIRCd by Onliner).
* Removed thread questions from Config, and autoconf code from
configure.in, leaving in the old macros though, but inactive
--enable-standardthreads is dead as of now
* Undefined HOOKTYPE_SCAN_INFO
* Removed CONF_EXCEPT_SCAN
* Removed locking in events, Lock/UnlockEventSystem still active for other
possible uses.
* Removed scanners, web server module
* Removed except scan {}
* Removed SCAN_API stuff from l_commands.c, win32 makefiles, etc
* Removed basically any mentions of threads in source tree, excepting
threads.h which Resolver uses on win32
* Documentation changes not done yet
If BUFFERPOOL dbuf_put would return -1, but at some places !dbuf_put was used,
I've changed it so it will return 0 (so use !dbuf_put now, don't use dbuf_put(...) < 0 :P).
I also added some nice warning thing. I couldn't send from the send routine because that's risky ;).
And...... I also doubled the default BUFFERPOOL, so if you leave everything the default then
BUFFERPOOL is now 52Mb instead of 26Mb, which should be ok for now.
This is more usefull than the no nameserver + useip solution since with this no resolving
is done for incomming clients, but connecting to other servers (with hostnames) still works fine ;P.
multihomed issue:
Instead of binding cptr->listener->ip it now uses getsockname(), otherwise it
won't work if you have a listen *:6667 thing + multihomed (it will connect for
example from 33.33.33.1 while the client connected to 33.33.33.5.
connect issue:
there was some kind of file descriptor race condition because of the way our
whole read_message() thing is coded... an ident socket might have been closed
+ a new might have been accepted... blablabla ;)
I wonder if anyone reads these CVS logs lol :).
Also colour -> color ;P.
And... removed doc/Unreal31_to_32.html because it's no longer needed now
since I have integrated it in the features section / unreal32docs.html.
- Module changes: added two hooks: HOOKTYPE_USERMSG and HOOKTYPE_CHANMSG, changed umode_get.
The HOOKTYPE_USERMSG has been tested with a +D (deaf for private msgs except for opers)
module, the channel thing not yet...
added global/local mode flag to umode_get, or use umode_lget (local) / umode_gget (global) :P.
Blah.
The bug was it did free the yeslist/nolist elements but not the data in it (lp->value) :PP.
Changed to use free_str_list() instead, just like in exit_client.
* same for scan message
* don't say "you have not registered" on NOTICE in unregistered state.
* made a send_prot(aClient, ConfigItem_link) for sending PROTOCTL message,
takes care of sending ZIP in token in case of a ziplink (indeed, I don't
send "ZIP" if it's not marked as a ziplink).
* added automatic fallback tot uncompressed link in case one of the sides
has zip turned off or not compiled in.
* added configcheck for link::options::zip turned on when not compiled
in (just like we do with ssl).
- Currently it's not possible to compile with ZIP_LINKS _and_ SSL without changing zlib.h :(.
It really sucks... it's because zlib.h has a typedef for 'free_func' and this is also used
in openssl header files as a (useless) name... :((. I did some updates to allow future zlib
changes, dunnow if they will because it can break other zlib programs. It compiled fine at
windows, but not at Linux... you need to replace free_func to zlib_free_func in zlib.h in
order to get ZIP_LINKS + SSL to work... but like I said, that may break programs (ARGH!).
IsHidden(sptr) ? sptr->user->virthost : sptr->user->realhost
stuff to a simple GetHost(sptr) macro (defined in struct.h).
Smaller and less error phrone :). Also fixed the if IsHidden -> if (IsHidden
found by codemastr .
- Made async resolve-and-connect work
- Added link::options::nodnscache which means Unreal will not cache the host forever for
outgoing server connections, you could for example enable this if you are linking two servers
with an often changing host (like dyndns.org).
* Changed layout
* Removed text, split up 3.1.x->3.2.x upgrade info to Unreal31_to_32.html
(actually that's just .RELEASE.NOTES, need a bit more explanation and
stuff about converting configs etc).
* Improved Me, Class, Allow, Listen and Set block text/layout/etc.
* Removed typo's
at windows and not at *NIX? Also it's incompatible with running as a service.
AFAIK it doesn't increase security very much: if you own the box you can easily
snif the keyboard, read the certificate from memory, etc..
- Fixed bug in +q/+a list (/mode #chan q) <= lol this was some historic
bug by DrBin or something ;). In case you wanna know.. the whole loop logic
was wrong... initalisation vs null pointer check... ;).
which is set if dead_link is called. You will now see "Write error",
"Max SendQ exceeded" etc error messages in the quit reason instead of just
the "Dead socket" message. Changed "notice" parameter of dead_link, now just
the reason and not a format string, maybe rename that var.
instead of using a 2nd flag here for the special case of "the first zip msg"
like in hybrid/etc I use cptr->zip->first to flag that. Except for the many
#ifdef ZIP_LINKS blocks added I also had to do some stuff outside it, like
crc32->our_crc32 because zlib defines it, made a READBUF define (8192),
added a msg var to parsing/send functions.. blah.. etc ;P.
I've also put the patch online at www.vulnscan.org/tmp/zip_links.diff so you
can easily look what I've changed.
TODO: ask in ./Config if ziplinks should be enabled and let ./configure check
for zlib + add the library to IRCDLIBS in Makefile if enabled.
TODO: some little code cleanups
then does a -x virthost gets freed and the user can join again/circumvent the ban.
virhost should probably be moved in to the User struct like char virthost[HOSTLEN+1]
but in the meantime I've just removed the free() when someone does -x.
I noticed we already do make_userhost at connect even if mode +x isn't set, and also
is_banned checks if virthost exists.. if so -> check if that's banned... so this
patch won't decrease performance much.
We were doing: T_AAAA, if that fails then T_A. But in that case when a host
has both T_A and T_AAAA entries, the reverse lookup will fail for ipv4.
Now using T_ANY to fetch both T_A and T_AAAA addresses at once.
We were doing "deny known bad characters" instead of "only allow known good characters", this was REALLY bad...
This patch limits hostnames to alphanumeric, '-', '_' and '.'.
for (i = 0; &HE(cp)->h_addr_list[i]; i++) was used in ipv4 mode, but should be
without the &... this caused some stalls (like 11 seconds) at my machine because the
loop was executing >1 million times (I don't understand why it didnt crash however).
time function, however my fix was wrong / usually the out of bounds memory
reading went well so the function worked... now it didn't... patched ;P.
Some examples: 4s = 8, 1m = 61, 1h = 3601, 1h2m = 3722.
'getsockopt(IP_OPTIONS)' reported in bug #0000616. There's still one around
somewhere, but it's a start. Also modified report_error so it reports both
the socket error AND the system error if they are different.
- Documentation - Updated sec1.1 - Instructed to use bugs.unrealircd.org to report problems with docs
- Documentation - Updated misc hyperlinks - doc/unreal32docs.html
- Documentation - Updated sec3.31 - Added better description to the format we present set:: settings
- Documentation - Updated sec3.31 - Added more details to set directives
- Documentation - Updated sec3.25 - Added option vhost::swhois to section 3.25 Vhost block
- Documentation - Replaced text vair {} with <> to prevent confusion.
- Documentation - Documented that lusers now supports remote servers
- Documentation - Corrected vhost::from example as reported by joolz #329
- Documentation - Corrected set::scan:messages, currently listed as set::messages - as reported by joolz (#329)
- Documentation - Added channel mode t & description as reported by stfcs (#315)
+ fail-if-no-clientcert - If SSL client connects and doesn't provide a client certificate, abort connection immediately
+ verify-certificate - Check the certificate's validity using X509 methods, check if we trust CA's, etc.
+ It however does slip self signed certificates through UNLESS
+ no-self-signed - Don't allow self-signed certificates through (requires verify-certificate)
+- Made conf parser mention if we make a link->options with CONNECT_SSL if we don't support SSL (and remove the CONNECT_SSL flag)
+- Made conf parser mention if we make a SSL listener and we don't support SSL
+- Added set::ssl::trusted-ca-file, if enabled, it will point the SSL stuff to use that file as trusted CA's (for verify-certificate)
+- Made conf _not_ bitch that it doesn't know set::ssl
+- Removed some leftover client certificate stuff
this allows the admin to decide a standard custom quit for users. so they
won't be able to make their own quits. This affects set::prefix-quit and
ANTI_SPAM_QUIT_TIME - it simply replaces it with the message if enabled
- Updated .CHANGES.NEW with new version # and link to docs
- Updated .RELEASE.NOTES with new version # and link to docs
- Added NEW doc/unreal32docs.html Docs
- Removed .NEW_CONFIG - No longer needed
- Removed INSTALL - Refer to NEW docs Unreal32docs.html
- Removed doc/commands.txt - Refer to NEW docs Unreal32docs.html
- Removed doc/faq - Refer to NEW docs Unreal32docs.html
- Removed doc/conf.doc - Refer to NEW Docs Unreal32docs.html
- Removed doc/unrealircd.doc - Refer to NEW docs Unreal32docs.html
- Removed doc/Elite.Changes - Out Dated
- Removed doc/services-install-guide - Refer to NEW docs Unreal32docs.html
- Modfied Unreal.nfo to include ref. to new docs
+ ircd_SSL_read must emulate the same. codemastr: could you check what the
+ win32 equiviant of EIO is? I don't think my WSAEIO or whatever I called it
+ in sys.h is correct.
on non WIN32 systems
- Depricated AKILL/RAKILL and made them alias to TKL G +/- - for normal users they
just reply that the commands are depricated. Server compatiblity is maintained.
Eventually it will just be removed. Thank god for modules.
cd src;${MAKE}${MAKEARGS}MODULEFILE=${MODULEFILE}EXLIBS=${EXLIBS} custommodule
@if test -z "${MODULEFILE}";thenecho"Please set MODULEFILE when calling \`\`make custommodule''. For example, \`\`make custommodule MODULEFILE=callerid''." >&2;exit 1;fi
[](https://travis-ci.org/unrealircd/unrealircd)
[](https://ci.appveyor.com/project/syzop/unrealircd/branch/unreal40)
Ok, in order to save time, and my nerves i am writing this short readme, and eventually an FAQ (after people ask questions) =)
This is information on how to run the win32 version, it does not say, and WILL not say how to use an ircd, as that is sufficiently docuimented in the docs !!!!
you will NEED to modify/create an ircd.conf, follow the documentation for that.
Right, thats almost it( that i can think of), but what happens if the server Crashes ???
AC_WARN(SSL support could not be enabled because openssl/ssl.h could not be found)
fi
])
dnl module checking based on Hyb7's module checking code
AC_DEFUN(AC_ENABLE_DYN,
[
AC_CHECK_FUNC(dlopen,, AC_CHECK_LIB(dl, dlopen,IRCDLIBS="$IRCDLIBS-ldl",AC_MSG_WARN(Dynamic linking is not enabled because dlopen was not found) AC_DEFINE(STATIC_LINKING)))
hold_cflags=$CFLAGS
CFLAGS="$CFLAGS -export-dynamic"
AC_CACHE_CHECK(if we need the -export-dynamic flag, ac_cv_export_dynamic, [
AC_ARG_WITH(hostname, [ --with-hostname=host Specify the local hostname of the server], AC_DEFINE_UNQUOTED(DOMAINNAME,"$withval"),AC_DEFINE_UNQUOTED(DOMAINNAME,"`hostname`"))
AC_DEFINE_UNQUOTED(MYOSNAME,"`uname -a`")
AC_ARG_WITH(permissions, [ --with-permissions=permissions Specify the default permissions for
AC_ARG_ENABLE(hub, [ --enable-hub Compile as a hub server], AC_DEFINE(HUB))
AC_ARG_ENABLE(ssl, [ --enable-ssl Enable client and server SSL connections ], AC_ENABLE_SSL)
AC_ARG_ENABLE(dynamic-linking, [ --enable-dynamic-linking Make the IRCd dynamically link shared objects rather than statically ], AC_ENABLE_DYN, AC_DEFINE(STATIC_LINKING))
AC_ARG_ENABLE(inet6, [ --enable-inet6 Make the IRCd support IPv6 ], AC_ENABLE_INET6)
AC_ARG_ENABLE(standardthreads, [ --enable-standardthreads Use standard threads ], USESTDTHREAD="1")
AC_SUBST(IRCDDIR)
AC_SUBST(BINDIR)
ACX_PTHREAD
CC="$PTHREAD_CC"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
IRCDLIBS="$IRCDLIBS $PTHREAD_LIBS"
AC_caolan_FUNC_WHICH_GETHOSTBYNAME_R
AC_MSG_CHECKING(if FD_SETSIZE is large enough to allow $ac_fd file descriptors)
dnl Save CFLAGS, use this when building the libraries like c-ares
orig_cflags="$CFLAGS"
dnl Save build directory early on (used in our m4 macros too)
BUILDDIR="`pwd`"
AC_SUBST(BUILDDIR)
dnl Calculate the versions. Perhaps the use of expr is a little too extravagant
# Generation version number (e.g.: X in X.Y.Z)
UNREAL_VERSION_GENERATION=["4"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_GENERATION], [$UNREAL_VERSION_GENERATION], [Generation version number (e.g.: X for X.Y.Z)])
# Major version number (e.g.: Y in X.Y.Z)
UNREAL_VERSION_MAJOR=["0"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_MAJOR], [$UNREAL_VERSION_MAJOR], [Major version number (e.g.: Y for X.Y.Z)])
# Minor version number (e.g.: Z in X.Y.Z)
UNREAL_VERSION_MINOR=["19"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_MINOR], [$UNREAL_VERSION_MINOR], [Minor version number (e.g.: Z for X.Y.Z)])
# The version suffix such as a beta marker or release candidate
# marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a
# string instead of an integer because it contains arbitrary data.
UNREAL_VERSION_SUFFIX=["-rc2"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_SUFFIX], ["$UNREAL_VERSION_SUFFIX"], [Version suffix such as a beta marker or release candidate marker. (e.g.: -rcX for unrealircd-3.2.9-rcX)])
AC_PROG_CC
if test "$ac_cv_prog_gcc" = "yes"; then
CFLAGS="$CFLAGS -funsigned-char"
AC_CACHE_CHECK(if gcc has a working -pipe, ac_cv_pipe, [
AC_DEFINE([POSIX_SIGNALS], [], [Define if you have POSIX signals])
elif test "$ac_cv_sigtype" = "BSD"; then
AC_DEFINE([BSD_RELIABLE_SIGNALS], [], [Define if you have BSD signals])
else
AC_DEFINE([SYSV_UNRELIABLE_SIGNALS], [], [Define if you have SYSV signals])
fi
AC_CHECK_FUNCS(strtoken,,AC_DEFINE([NEED_STRTOKEN], [], [Define if you need the strtoken function.]))
AC_CHECK_FUNCS(strtok,,AC_DEFINE([NEED_STRTOK], [], [Define if you need the strtok function.]))
AC_CHECK_FUNCS(strerror,,AC_DEFINE([NEED_STRERROR], [], [Define if you need the strerror function.]))
AC_CHECK_FUNCS(index,,AC_DEFINE([NOINDEX], [], [Define if you do not have the index function.]))
AC_CHECK_FUNCS(strtoul,,STRTOUL="strtoul.o")
AC_CHECK_FUNCS(bcopy,,AC_DEFINE([NEED_BCOPY], [], [Define if you don't have bcopy]))
AC_CHECK_FUNCS(bcmp,,AC_DEFINE([NEED_BCMP], [], [Define if you don't have bcmp]))
AC_CHECK_FUNCS(bzero,,AC_DEFINE([NEED_BZERO], [], [Define if you need bzero]))
AC_CHECK_FUNCS(strcasecmp,AC_DEFINE([GOT_STRCASECMP], [], [Define if you have strcasecmp]))
save_libs="$LIBS"
LIBS="$LIBS $SOCKLIB $INETLIB"
AC_CHECK_FUNCS(inet_addr,,AC_DEFINE([NEED_INET_ADDR], [], [Define if you need inet_addr]))
AC_CHECK_FUNCS(inet_ntoa,,AC_DEFINE([NEED_INET_NTOA], [], [Define if you need inet_ntoa]))
LIBS="$save_libs"
AC_CHECK_FUNCS(syslog,AC_DEFINE([HAVE_SYSLOG], [], [Define if you have syslog]))
AC_SUBST(STRTOUL)
AC_SUBST(CRYPTOLIB)
AC_SUBST(MODULEFLAGS)
AC_SUBST(DYNAMIC_LDFLAGS)
AC_ARG_WITH(nick-history, [AS_HELP_STRING([--with-nick-history=length],[Specify the length of the nickname history])],
[AC_DEFINE_UNQUOTED([NICKNAMEHISTORYLENGTH], [$withval], [Set to the nickname history length you want])],
[AC_DEFINE([NICKNAMEHISTORYLENGTH], [2000], [Set to the nickname history length you want])])
AC_ARG_WITH([sendq], [AS_HELP_STRING([--with-sendq=maxsendq],[Specify the max sendq for the server])],
[AC_DEFINE_UNQUOTED([MAXSENDQLENGTH], [$withval], [Set to the max sendq you want])],
[AC_DEFINE([MAXSENDQLENGTH], [3000000], [Set to the max sendq you want])])
AC_ARG_WITH(permissions, [AS_HELP_STRING([--with-permissions=permissions], [Specify the default permissions for
configuration files])],
dnl We have an apparently out-of-place 0 here because of a MacOSX bug and because
dnl we assume that a user thinks that `chmod 0600 blah' is the same as `chmod 600 blah'
dnl (#3189)
[AC_DEFINE_UNQUOTED([DEFAULT_PERMISSIONS], [0$withval], [The default permissions for configuration files. Set to 0 to prevent unrealircd from calling chmod() on the files.])],
[AC_DEFINE([DEFAULT_PERMISSIONS], [0600], [The default permissions for configuration files. Set to 0 to prevent unrealircd from calling chmod() on the files.])])
AC_ARG_WITH(bindir, [AS_HELP_STRING([--with-bindir=path],[Specify the directory for the unrealircd binary])],
[AC_DEFINE_UNQUOTED([BINDIR], ["$withval"], [Define the directory where the unrealircd binary is located])
BINDIR="$withval"],
[AC_DEFINE_UNQUOTED([BINDIR], ["$HOME/unrealircd/bin"], [Define the directory where the unrealircd binary is located])
BINDIR="$HOME/unrealircd/bin"])
AC_ARG_WITH(scriptdir, [AS_HELP_STRING([--with-scriptdir=path],[Specify the directory for the unrealircd start-stop script])],
[AC_DEFINE_UNQUOTED([SCRIPTDIR], ["$withval"], [Define the directory where the unrealircd start stop scripts is located])
SCRIPTDIR="$withval"],
[AC_DEFINE_UNQUOTED([SCRIPTDIR], ["$HOME/unrealircd"], [Define the directory where the unrealircd start stop scripts is located])
SCRIPTDIR="$HOME/unrealircd"])
AC_ARG_WITH(confdir, [AS_HELP_STRING([--with-confdir=path],[Specify the directory where configuration files are stored])],
[AC_DEFINE_UNQUOTED([CONFDIR], ["$withval"], [Define the location of the configuration files])
CONFDIR="$withval"],
[AC_DEFINE_UNQUOTED([CONFDIR], ["$HOME/unrealircd/conf"], [Define the location of the configuration files])
CONFDIR="$HOME/unrealircd/conf"])
AC_ARG_WITH(modulesdir, [AS_HELP_STRING([--with-modulesdir=path],[Specify the directory for loadable modules])],
[AC_DEFINE_UNQUOTED([MODULESDIR], ["$withval"], [Define the location of the modules])
MODULESDIR="$withval"],
[AC_DEFINE_UNQUOTED([MODULESDIR], ["$HOME/unrealircd/modules"], [Define the location of the modules])
MODULESDIR="$HOME/unrealircd/modules"])
AC_ARG_WITH(logdir, [AS_HELP_STRING([--with-logdir=path],[Specify the directory where log files are stored])],
[AC_DEFINE_UNQUOTED([LOGDIR], ["$withval"], [Define the location of the log files])
LOGDIR="$withval"],
[AC_DEFINE_UNQUOTED([LOGDIR], ["$HOME/unrealircd/logs"], [Define the location of the log files])
LOGDIR="$HOME/unrealircd/logs"])
AC_ARG_WITH(cachedir, [AS_HELP_STRING([--with-cachedir=path],[Specify the directory where cached files are stored])],
[AC_DEFINE_UNQUOTED([CACHEDIR], ["$withval"], [Define the location of the cached remote include files])
CACHEDIR="$withval"],
[AC_DEFINE_UNQUOTED([CACHEDIR], ["$HOME/unrealircd/cache"], [Define the location of the cached remote include files])
CACHEDIR="$HOME/unrealircd/cache"])
AC_ARG_WITH(tmpdir, [AS_HELP_STRING([--with-tmpdir=path],[Specify the directory where private temporary files are stored. Should not be readable or writable by others, so not /tmp!!])],
[AC_DEFINE_UNQUOTED([TMPDIR], ["$withval"], [Define the location of private temporary files])
TMPDIR="$withval"],
[AC_DEFINE_UNQUOTED([TMPDIR], ["$HOME/unrealircd/tmp"], [Define the location of private temporary files])
TMPDIR="$HOME/unrealircd/tmp"])
AC_ARG_WITH(datadir, [AS_HELP_STRING([--with-datadir=path],[Specify the directory where permanent data is stored])],
[AC_DEFINE_UNQUOTED([PERMDATADIR], ["$withval"], [Define the location of permanent data files])
PERMDATADIR="$withval"],
[AC_DEFINE_UNQUOTED([DATADIR], ["$HOME/unrealircd/data"], [Define the location of permanent data files])
PERMDATADIR="$HOME/unrealircd/data"])
AC_ARG_WITH(docdir, [AS_HELP_STRING([--with-docdir=path],[Specify the directory where documentation is stored])],
[AC_DEFINE_UNQUOTED([DOCDIR], ["$withval"], [Define the location of the documentation])
DOCDIR="$withval"],
[AC_DEFINE_UNQUOTED([DOCDIR], ["$HOME/unrealircd/doc"], [Define the location of the documentation])
DOCDIR="$HOME/unrealircd/doc"])
AC_ARG_WITH(pidfile, [AS_HELP_STRING([--with-pidfile=path],[Specify the path of the pid file])],
[AC_DEFINE_UNQUOTED([PIDFILE], ["$withval"], [Define the path of the pid file])
PIDFILE="$withval"],
[AC_DEFINE_UNQUOTED([PIDFILE], ["$HOME/unrealircd/data/unrealircd.pid"], [Define the path of the pid file])
PIDFILE="$HOME/unrealircd/data/unrealircd.pid"])
dnl Ensure that this “feature” can be disabled as it makes it harder to package unrealircd.
dnl Users have always been able to specify “./configure LDFLAGS=-Wl,-rpath,/path/to/blah”—binki
AC_ARG_WITH(privatelibdir, [AS_HELP_STRING([--with-privatelibdir=path],[Specify the directory where private libraries are stored. Disable when building a package for a distro])],
[],
[with_privatelibdir="yes"])
AS_IF([test "x$with_privatelibdir" = "xno"],
[PRIVATELIBDIR=],
[test "x$with_privatelibdir" = "xyes"],
[PRIVATELIBDIR="$HOME/unrealircd/lib"],
[PRIVATELIBDIR="$with_privatelibdir"])
AS_IF([test "x$PRIVATELIBDIR" = "x"],
[LDFLAGS_PRIVATELIBS=""],
[AC_DEFINE_UNQUOTED([PRIVATELIBDIR], ["$PRIVATELIBDIR"], [Define the location of private libraries])
LDFLAGS_PRIVATELIBS="-Wl,-rpath,$PRIVATELIBDIR"
LDFLAGS="$LDFLAGS $LDFLAGS_PRIVATELIBS"
export LDFLAGS])
AC_SUBST(BINDIR)
AC_SUBST(SCRIPTDIR)
AC_SUBST(CONFDIR)
AC_SUBST(MODULESDIR)
AC_SUBST(LOGDIR)
AC_SUBST(CACHEDIR)
AC_SUBST(TMPDIR)
dnl Why o why PERMDATADIR and not DATADIR you ask?
dnl well, Because DATADIR conflicts with the Windows SDK header files.. amazing.
AC_SUBST(PERMDATADIR)
AC_SUBST(DOCDIR)
AC_SUBST(PIDFILE)
AC_SUBST(LDFLAGS_PRIVATELIBS)
AC_ARG_WITH(fd-setsize, [AS_HELP_STRING([--with-fd-setsize=size], [Specify the max file descriptors to use])],
[ac_fd=$withval],
[ac_fd=1024])
AC_DEFINE_UNQUOTED([MAXCONNECTIONS], [$ac_fd], [Set to the max connections you want])
AC_ARG_ENABLE([prefixaq],
[AS_HELP_STRING([--disable-prefixaq],[Disable chanadmin (+a) and chanowner (+q) prefixes])],
[],
[enable_prefixaq=yes])
AS_IF([test $enable_prefixaq = "yes"],
[AC_DEFINE([PREFIX_AQ], [], [Define if you want +a/+q prefixes])])
AC_ARG_WITH(showlistmodes,
[AS_HELP_STRING([--with-showlistmodes], [Specify whether modes are shown in /list])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([LIST_SHOW_MODES], [], [Define if you want modes shown in /list])])])
AC_ARG_WITH(topicisnuhost, [AS_HELP_STRING([--with-topicisnuhost], [Display nick!user@host as the topic setter])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([TOPIC_NICK_IS_NUHOST], [], [Define if you want nick!user@host shown for the topic setter])])])
AC_ARG_WITH(shunnotices, [AS_HELP_STRING([--with-shunnotices], [Notify a user when he/she is no longer shunned])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([SHUN_NOTICES], [], [Define if you want users to be notified when their shun is removed])])])
[AC_DEFINE([NO_OPEROVERRIDE], [], [Define if you want OperOverride disabled])])])
AC_ARG_WITH(disableusermod, [AS_HELP_STRING([--with-disableusermod], [Disable /set* and /chg*])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([DISABLE_USERMOD], [], [Define if you want to disable /set* and /chg*])])])
AC_ARG_WITH(operoverride-verify, [AS_HELP_STRING([--with-operoverride-verify], [Require opers to invite themselves to +s/+p channels])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([OPEROVERRIDE_VERIFY], [], [Define if you want opers to have to use /invite to join +s/+p channels])])])
AC_ARG_WITH(disable-extendedban-stacking, [AS_HELP_STRING([--with-disable-extendedban-stacking], [Disable extended ban stacking])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([DISABLE_STACKED_EXTBANS], [], [Define to disable extended ban stacking (~q:~c:\#chan, etc)])])])
AC_ARG_WITH(system-tre, [AS_HELP_STRING([--with-system-tre], [Use the system tre package instead of bundled, discovered using pkg-config])], [], [with_system_tre=no])
AC_ARG_WITH(system-pcre2, [AS_HELP_STRING([--with-system-pcre2], [Use the system pcre2 package instead of bundled, discovered using pkg-config])], [], [with_system_pcre2=no])
AC_ARG_WITH(system-cares, [AS_HELP_STRING([--without-system-cares], [Use bundled version instead of system c-ares. Normally autodetected via pkg-config.])], [], [with_system_cares=yes])
CHECK_SSL
CHECK_SSL_CTX_SET1_CURVES_LIST
AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])],
Example: NOTICE codemastr,Stskeeps :Hi codemastr and Stskeeps.
MODE
- Used to change the mode of a channel or a user. You can only change modes for channel you are an Operator or Half-Op on. Also, you can only changes user modes for yourself.
- Changes your "online identity" on a server. All those in the channel you are in will be alerted of your nickname change.
Syntax: NICK <new nickname>
Example: NICK |codemastr|
JOIN
- Used to enter one or more channels on an IRC server. All occupants of the channel will be notified of your arrival.
Syntax: JOIN <chan>,<chan2>,<chan3>
Example: JOIN #UnrealIRCD
Example: JOIN #UnrealIRCD,#OperHelp
PING
- Determines the amount of lag (time it takes for a response to reach a person and come back) between yourself and someone else.
Syntax: PING <user>
Example: PING Stskeeps
WHOIS
- Shows information about the user in question, such as their "name", channels they are currently in, their hostmask, etc.
Syntax: WHOIS <user>
Example: WHOIS DrBin
ISON
- Used to determine of a certain user or users are currently on the IRC server based upon their nickname.
Syntax: ISON <user> <user2> <user3> <user4>
Example: ISON Stskeeps DrBin codemastr NickServ ChanServ OperServ MemoServ
USER
- Used during registration to server (i.e. during inital connection sequence.)
PART
- Used to part (or leave) a channel you currently occupy. All those in the channel will be notified of your departure.
Syntax: PART <chan>,<chan2>,<chan3>,<chan4>
Example: PART #UnrealIRCD
Example: PART #UnrealIRCD,#OperHelp
QUIT
- Disconnects you from the IRC server. Those in the channels you occupy will be notified of your departure. If you do not specify a reason, your nickname becomes the reason.
Syntax: QUIT <reason>
Example: QUIT Leaving!
USERHOST
- Returns the userhost of the user in question. Usually used by scripts or bots to retrieve userhost information.
Syntax: USERHOST <nickname>
Example: USERHOST codemastr
SVSNICK
- Can only be used by a U:Lined server (i.e. services). Changes the nickname of the user in question.
- Can only be used by a U:Lined server (i.e. services). Changes the mode of the channel or user in question.
Syntax: SVSMODE <channel/user> :<mode>
Example: SVSMODE #UnrealIRCD :+o Stskeeps
Example: SVSMODE codemastr :+i
LUSERS
- Provides local and global user information (such as current and maximum user count).
Syntax: LUSERS <server>
CHANSERV
- Will send a secure message to ChanServ. Similar to /msg ChanServ, but more secure. May not work if server is configured improperly.
TOPIC
- Sets/Changes the topic of the channel in question, or just display the current topic.
Syntax: TOPIC <channel>
Syntax: TOPIC <channel> <topic>
Example: TOPIC #operhelp
Example: TOPIC #UnrealIRCD Welcome to the Unreal IRCD Home Channel.
INVITE
- Sends a user an invitation to join a perticular channel. You must be an operator on the channel in order to invite a user into it.
Syntax: INVITE <user> <channel>
Example: INVITE codemastr #OperHelp
KICK
- Removes a user from a channel. Can only be used by Operators or Half-Ops. If no reason is specified, your nickname becomes the reason.
Syntax: KICK <channel> <user> <reason>
WALLOPS
- Sends a "message" to all those with the umode +w. Only IRCops can send wallops, while anyone can view them.
Syntax: WALLOPS <message>
KILL
- Forcefully disconnects a user from an IRC Sever. Can only be used by IRCops.
Syntax: KILL <user> <reason>
Example: KILL Clone5 Cloning is not allowed
AWAY
- Sets your online status to "away".
Syntax: AWAY <reason> (AWAY without a reason will unset you away)
Example: AWAY Walking the dog...
SQUIT
- Disconnects an IRC Server from the network
Syntax: SQUIT <server>
Example: SQUIT leaf.*
WHO
- Searches user information (-i users only) for supplied information. IRCops are a ble to search +i users.
Syntax: WHO <search>
Example: WHO *.aol.com
WHOWAS
- Retrieves previous 'WHOIS' information for users no longer connected to the server.
Syntax: WHOWAS <nickname>
Example: WHOWAS Stskeeps
LIST
- Provides a complete listing of all channels on the network. If a search string is specified, it will only show those matching the search string.
Syntax: LIST <search string>
Example: LIST
Example: LIST *ircd*
NAMES
- Provides a list of users on the specified channel.
Syntax: NAMES <channel>
Example: NAMES #help
OPER
- Attempts to give a user IRCop status.
Syntax: OPER <uid> <pass>
Example: OPER codemastr codeit
CONNECT
- Links another IRC server to the one you are currently on. Remote connections are also possible.
Syntax: CONNECT <server>
Syntax: <CONNECT> <hub> <port> <leaf>
Example: CONNECT leaf.*
Example: CONNECT hub.* 6667 leaf.*
VERSION
- Provides version information of the IRCD software in usage.
Syntax: VERSION
STATS
- Provides certain statistical information about the server (for example, u will provide uptime information).
Syntax: STATS <letter>
Example: STATS u
LINKS
- Lists all of the servers currently linked to the network.
Syntax: LINKS
ADMIN
- Provides administrative information regarding the server.
Syntax: ADMIN <server>
SAMODE
- Allowed a services administrator to change the mode on a channel, without having operator status.
Syntax: SAMODE <channel> <mode>
Example: SAMODE #UnrealIRCD +m
SVSKILL
- Can only be used by a U:Lined server. Forcefully disconnects a user from the network.
Syntax: SVSKILL <user> <reason>
Example: SVSKILL codemastr Goodbye
SVSNOOP
- Can only be used by a U:Lined server. Enabled or disables whether Global IRCop functions exist on the server in question or not.
Syntax: SVSNOOP <server> <+/->
Example: SVSNOOP leaf.* -
MOTD
- Displays the Message of the Day.
Syntax: MOTD
Syntax: MOTD <server>
KLINE
- "Bans" a hostmask from connection to the IRC server.
Syntax: KLINE <hostmask> <reason>
Example: KLINE *@*.aol.com Abuse
UNKLINE
- Removes a k:line from the server.
Syntax: UNKLINE <hostmask>
Example: UNKLINE *@*.aol.com
ZLINE
- Disables all access to the IRC server from a specified IP.
Syntax: ZLINE <ip>
Example: ZLINE 127.0.0.1
UNZLINE
- Removes a currently active z:Line.
Syntax: UNZLINE <ip>
Example: ZLINE 127.0.0.1
GLOBOPS
- Sends a global "message" to all IRCops. Only viewable by IRCops (unlike WallOps, which can be viewed by normal users).
Syntax: GLOBOPS <message>
Example: GLOBOPS Going to be akilling those clones...
CHATOPS
- GLOBOPS is usually reserved for important network information. Therefore, for Oper Chat, CHATOPS was invented. IRCops with the +c flag enabled will be able to send/receive CHATOPS messages.
Syntax: CHATOPS <message>
Example: CHATOPS How's everyone doing today?
LOCOPS
- Similar to GLOBOPS, except only received by those IRCops local to your server.
Syntax: LOCOPS <message>
Example: LOCOPS Going to be adding a temp k:line for that user...
REHASH
- Prompts the server to reread its configuration file (ircd.conf). Will also remove any temporarly lines (i.e. k:line).
Syntax: REHASH
RESTART
- Kills and restarts the irc daemon, disconnecting all users currently on that server.
Syntax: RESTART
Syntax: RESTART <password>
DIE
- Kills the irc daemon, disconnecting all users currently on that server.
Syntax: DIE
Syntax: DIE <password>
RULES
- Reads the rules.conf file and sends the contents to the user.
Syntax: RULES
MAP
- Provides a "network map" of the IRC network. Mainly used for routing purposes.
Syntax: MAP
DALINFO
- Original DALnet ircd credits.
Syntax: DALINFO
MKPASSWD
- Used for generating an encrypted password. Mainly used for encrypted O:Line passwords.
Syntax: MKPASSWD <password>
Example: MKPASSWD codeit
ADDLINE
- Adds a line to the server's ircd.conf file. After added, you must REHASH the server for it to take affect.
23.0 Set block (networks/unrealircd.conf and networks/*.network)
24.0 Conclusion
1.0 Abstract
Welcome to the new Unreal configuration format. This format may seem very confusing at first,
but hopefully this document will clear up any confusion. This file will show you the new config
file directives as well as tell you the old format equivilent (where one exists) to help you get
a feel for the new file.
1.1 Introduction
Each entry, or block, in the new format has a specific format. The format works like:
<block-name> <block-value> {
<block-directive> <directive-value>;
};
<block-name> is the type of block, such as me, or admin. <block-value> sometimes specifys a
value, such as /oper login, but other times it will be a sub-type such as in ban user.
<block-directive> is an individual variable specific to the block, and <directive-value> is the
associated value. Directives and their values do not have to be seperated by an equal sign, but
they maybe if you choose to do so. If <directive-value> contains spaces, or characters that
represent a comment it must be contained in double quotes. If you want to use a quote character
inside a quoted string use \" and it will be understood as a quote character. A
<block-directive> can have directives within it, if thats the case it will have it's own set of
curly braces surrounding it. Some blocks do not have directives and are specified just by
<block-value>, such as include. Also note that there is no set format, meaning the whole block
can appear on one line or over multiple lines. The format above is what is normally used (and
what will be used in this file) because it is easy to read. Note: the configuration file is
currently case sensitive so BLOCK-NAME is not the same as block-name. There is a special
notation used to talk about entries in the config file. For example, to talk about
<block-directive> in the example above, you'd say <block-name>::<block-directive>, and if that
directive has a sub-block you want to reference, you would add another :: and the name of the
sub directive. To talk about an unnamed directive you would do <block-name>:: which would in
this case mean <block-value>, or it could be an entry in a sub block that has no name.
Comments are supported in three formats, both multi-line and single-line comments are supported.
To comment a single line there are two options, a shell style comment, or a C++ style comment.
A shell style comment begins with a # and a C++ style begins with a //. These comments can
appear anywhere in a line and comment anything until the end of the line. For multi-line
comments, a C style comment is supported. To start the comment you enter /* and anything from
there until the */ is commented.
2.0 Me block (M:line)
Syntax:
me {
name <name-of-server>;
info <server-description>;
numeric <server-numeric>;
};
Example:
me {
name irc.unrealircd.com;
info "UnrealIRCd Development Server";
numeric 21;
};
These values are pretty obvious. The me::name specifies the name of the server, me::info
specifies the server's info line, me::numeric specifies a numeric to identify the server. This
must be a value between 1 and 255 that is unique to the server meaning no other servers on the
network may have the same numeric.
3.0 Admin block (A:line)
Syntax:
admin {
<text-line>;
<text-line>;
...
};
Example:
admin {
"codemastr";
"codemastr@unrealircd.com";
};
The admin block defines the text displayed in a /admin request. You can specify as many lines
as you want and you they can contain whatever information you choose, but it is standard to
include the admin's nickname and email address at a minimum. Other information may include any
other contact information you wish to give.
4.0 Class block (Y:line)
Syntax:
class <name> {
pingfreq <ping-frequency>;
connfreq <connect-frequency>;
maxclients <maximum-clients>;
sendq <send-queue>;
};
Example:
class clients {
pingfreq 90;
maxclients 100;
sendq 50000;
};
The class block is a vastly simplified version of the Y:lines. You are no longer limited to
naming them with a number, you can now use an alpha-numeric string which is specified in the
class::. The values of this block define the connection classes, class::pingfreq specifies the
number of seconds between PINGs, class::connfreq is only used in server classes to specify the
time in seconds between connection attempts, class::maxclients specifies the maximum amount of
clients that may use this class to connect, and class::sendq specifies the amount of information
that can remain in the send queue buffer.
5.0 Allow block (I:line)
Syntax:
allow {
ip <user@ip-connection-mask>;
hostname <user@host-connection-mask>;
class <connection-class>;
password <connection-password> { <auth-type>; };
maxperip <max-connections-per-ip>;
redirect-server <server-to-forward-to>;
redirect-port <port-to-forward-to>;
};
Example:
allow {
ip *@*;
hostname *@*;
class clients;
maxperip 2;
redirect-server irc2.unrealircd.com;
redirect-port 6667;
};
The allow class is similar to an I:line but provides more features. The allow::ip specifies a
user@ip hostmask for a user to match to connect and allow::hostname specifies a user@host to
match to connect, allow::class is the name of a preexisting (appears before this block in the
config) class block that will be used for this class. The rest of the directives are optional,
allow::password specifies a password that users must enter to connect. The allow::password::
allows you to specify an authentication method. Currently supported methods are crypt, md3, and
sha1. If you are using plain-text you can just leave this sub-block out. This directive also
allows you to configure close killing, allow::maxperip lets you specify the maximum number of clients that may connect from a single IP. Lastly, the allow block supports redirection when the server is full, allow::redirect-server specifies the address of a server to forward to, and allow::redirect-port specifies the port, if no port is specified, 6667 is assumed. Note: for auto-redirection to occur the client must have support for the redirection numeric, at this time not many clients do.
6.0 Listen block (P:line)
Syntax:
listen <ip:port> {
options {
<option>;
<option>;
...
};
};
Examples:
listen 192.168.1.1:6667;
listen 192.168.1.1:6697 {
options {
ssl;
};
};
This block allows you to specify the ports on which the IRCd will listen. If no options are
required, you may specify this without any directives in the form listen <ip:port>;. Valid
listen::options are clientsonly (only users may connect), serversonly (only servers name
connect), java (CR javachat support), ssl (SSL encrypted port). A combination of any of those
flags may be specified. Since IPv6 is now supported, and the IPv6 seperator is a : it makes the
ip:port format a bit difficult. To compensate, you should enclose the IP in brackets. For
example, [::1]:6667. Which will bind to the localhost on port 6667. If you are using IPv6 and
want to listen on an IPv4 IP use the format [::ffff:<ip>]:<port>. For example,
[::ffff:203.123.67.1]:6667. Which will bind to the IPv4 203.123.67.1 on port 6667. You may also
specify * as the IP to bind to all interfaces.
7.0 Oper block (O:line)
oper <name> {
from {
userhost <hostmask>;
userhost <hostmask>;
...
};
password <password> { <auth-type>; };
class <class-name>;
snomask <snomask>;
swhois <swhois>;
flags <flags>;
flags {
<flag>;
<flag>;
...
};
};
Example:
oper codemastr {
from {
userhost codemastr@staff.unrealircd.info;
userhost codemastr@unrealircd.com;
};
password "testpass";
class clients;
snomask "+kfc";
flags OAaRDNz^t;
};
The oper block allows you to assign IRC Operators for your server. The oper:: specifies the
login name for the /oper. The oper::from::userhost is a user@host mask that the user must
match, you can specify more than one hostmask by creating more than one oper::from::userhost.
The oper::password is the password the user must specify, oper::password:: allows you to
specify an authentication method for this password, valid auth-types are crypt, md5, and sha1.
If you want to use a plain-text password leave this sub-block out. The oper::class directive
specifies the name of a preexisting (appears before this in the config file) class name that
the oper block will use. The oper::snomask directive lets you specify the default snomask
the \oper will receive, this overrides the standard snomask that is normally set. The
oper::swhois directive allows you to specify an swhois line that will be set when the user
/oper's. Note: This directive will be overridden if you use an IRC Services program that also
sets swhois. The oper::flags directive has two formats. If you wish to use the old style
oper flags i.e., OAa, you use the flags <flags> method, if you want to use the new style, i.e.,
services-admin, then you use the flags { <flag>; } method. Below is a list of all the flags
(in both formats) and what they do.
o local Makes you a local operator (contains rhgwlckbBn)
O global Makes you a global operator (contains oLKG)
C coadmin Makes you a coadmin
A admin Makes you an admin
a services-admin Makes you a services admin
N netadmin Makes you a netadmin
r can_rehash Oper may use /rehash
D can_die Oper may use /die
R can_restart Oper may use /restart
h helpop Oper receives +h (helpop)
w can_wallops Oper can send /wallops
g can_globops Oper can send /globops
c can_localroute Can connect servers locally
L can_globalroute Can connect servers globally
k can_localkill Can /kill local users
K can_globalkill Can /kill global users
b can_kline Can use /kline
B can_unkline Can use /unkline
t can_gkline Can use /gline and /shun
Z can_gzline Can use /gzline
n can_localnotice Can send local server notices
G can_globalnotice Can send global server notices
z can_zline Can use /zline
W get_umodew Sets +W when you oper
H get_host Sets your host to an oper host
^ can_stealth Can use +I
8.0 Drpass block (X:line)
Syntax:
drpass {
restart <restart-password> { <auth-type>; };
die <die-password> { <auth-type>; };
};
Example:
drpass {
restart "0CvoXHMDB45pY" { crypt; };
die "0BMFSJ6FWd23s" { crypt; };
};
This block sets the /restart and /die passwords with drpass::restart and drpass::die
respectively. The drpass::restart:: and drpass::die:: allow you to specify the type of
authentication used by this item. The currently supported authentication types are crypt, md5,
and sha1.
9.0 Include directive (N/A)
Syntax:
include <file-name>;
Example:
include "badwords.channel.conf";
This directive specifies a filename to be loaded as a seperate configuration file. This file
may contain any type of config block and can even include other files. Wildcards are supported
in the file name to allow you to load multiple files at once.
10.0 Loadmodule directive (N/A)
Syntax:
loadmodule <file-name>;
Example:
include "src/modules/commands.so";
This directive specifies a filename to be loaded as a module. Some modules may have there own
documentation which should be consulted when setting it up. Loadmodule also supports wildcards
to easily load multiple modules at once.
11.0 Log block (N/A)
Syntax:
log <file-name> {
maxsize <max-file-size>;
flags {
<flag>;
<flag>;
...
};
};
Example:
log ircd.log {
maxsize 200KB;
flags { errors; tkl; kline; };
};
The log block allows you to assign different log files for different purposes. If the log
filename is syslog and your system has syslogd, then syslogd will be used to log for this file.
If you do not have syslogd, then specifying a filename of syslog will simply write to a file
named syslog. The log:: contains the name of the log file. log::maxsize is an optional
directive that allows you to specify a size that the log file will be wiped and restarted. You
can enter this string using MB for megabytes, KB, for kilobytes, GB, for gigabytes. The
log::flags specifies which types of information will be in this log. You can specify one or
more of the following, errors, kills, tkl (G:lines and Shuns), connects, server-connects,
kline, and oper.
12.0 Tld block (T:line)
Syntax:
tld {
mask <hostmask>;
motd <motd-file>;
rules <rules-file>;
channel <channel-name>;
};
Example:
tld {
mask *@*.es;
motd motd.spanish;
rules rules.spanish;
channel #help-spanish;
};
The tld block allows you to specify a motd, rules, and channel for a user based on their host.
This is useful if you want different motds for different languages. The tld::mask is a
user@host mask that the user's username and hostname must match. The tld::motd and tld::rules
specify the motd and rules file, respectively, to be displayed to this hostmask. Lastly the
tld::channel is optional, it allows you to specify a channel that this user will be forced to
join on connect. If this exists it will override the default auto join channel.
13.0 Ban nick block (Q:line)
Syntax:
ban nick {
mask <nickname>;
reason <reason-for-ban>;
};
Example:
ban nick {
mask "*Serv";
reason "Reserved for services";
};
The ban nick block allows you to disable use of a nickname on the server. The ban::mask allows
wildcard masks to match multiple nicks, and ban::reason allows you to specify the reason for
which this ban is placed. Most commonly these blocks are used to ban usage of the nicknames
commonly used for network services.
13.1 Ban user block (K:line)
Syntax:
ban user {
mask <hostmask>;
reason <reason-for-ban>;
};
Example:
ban user {
mask *@*.bobs.com;
reason "Abuse from domain";
};
This block allows you to ban a user@host mask from connecting to the server. The ban::mask is a
wildcard string of a user@host to ban, and ban::reason is the reason for a ban being placed.
Note, this is only a local ban and therefore the user may connect to other servers on the
network.
13.2 Ban ip block (Z:line)
Syntax:
ban ip {
mask <ipmask>;
reason <reason-for-ban>;
};
Example:
ban ip {
mask 127.0.0.1;
reason "No local connections allowed";
};
The ban ip block bans an IP from accessing the server. This includes both users and servers
attempting to link. The ban::mask parameter is an IP which may contain wildcard characters, and
ban::reason is the reason why this ban is being placed. Since this ban affects servers it should
be used very carefully.
13.3 Ban realname block (n:line)
Syntax:
ban realname {
mask <realname-mask>;
reason <reason-for-ban>;
};
Example:
ban realname {
mask "*sub7*";
reason "Sub7 Drones are not allowed";
};
The ban realname block allows you to ban a client based on the GECOS (realname) field. This is
useful to stop clone floods because often clone bots use the same realname. The ban::mask
specifies the realname which should be banned. The mask may contain wildcards. The ban::reason
specifies the reason why this ban is being placed.
13.4 Ban server block (q:line)
Syntax:
ban server {
mask <server-name>;
reason <reason-for-ban>;
};
Example:
ban server {
mask irc.lamerland.com;
reason "Too many lamers";
};
This block disables a server's ability to connect to your server. The ban::mask field specifies
a wildcard mask to match against the server attempting to connect's name, and ban::reason
specifies the reason for which this ban has been placed.
14.0 Except ban block (E:line)
Syntax:
except ban {
mask <hostmask>;
};
Example:
except ban {
mask *@*.unrealircd.com;
};
The except ban block allows you to specify a user@host that will override a ban placed on a
broader host. This is useful when you want an ISP banned, but still want specific users to be
able to connect. The except::mask directive specifies the user@host mask of the client who will
be allowed to connect.
14.1 Except scan block (e:line)
Syntax:
except scan {
mask <ipmask>;
};
Example:
except scan {
mask 192.168.1.23;
};
The except scan block allows you to specify an IP mask that will override the scanners. This
only works if you have chosen to load the scanner modules. The except::mask specifies an IP
mask that will not be banned because of any type of scanner problem.
14.2 Except tkl block (N/A)
Syntax:
except tkl {
type <type>;
mask <hostmask>;
};
Example:
except tkl {
type gline;
mask *@*.unrealircd.com;
};
The except tkl block lets you set a host as being exempt from certain types of tkls. The
except::type specifies the type of tkl the mask will be exempt from. Valid entries are gline,
gzline, tkline, tzline, or shun. The except::mask specifies a user@host that will be exempt
from the ban.
15.0 Deny dcc block (dccdeny.conf)
Syntax:
deny dcc {
filename <file-to-block>;
reason <reason-for-ban>;
};
Example:
deny dcc {
filename "dmsetup.exe";
reason "Dmsetup is a trojan";
};
The deny dcc block allows you to specify a filename which will not be allowed to be sent via
DCC over the server. This is very useful in helping stop distribution of trojans and viruses.
The deny::filename parameter specifies a wildcard mask of the filename to reject sends of, and
deny::reason specifys the reason why this file is blocked.
15.1 Deny version block (V:line)
Syntax:
deny version {
mask <server-name>;
version <version-number>;
flags <compile-flags>;
};
Example:
deny version {
mask *;
version *;
flags !R;
};
This block allows you to deny a server from linking based on the version of Unreal it is running
and what compile time options it has. The format for this block is somewhat complex but isn't
too hard to figure out. The deny::mask directive specifies a wildcard mask of the server name
this applies to. The deny::version specifies the protocol number of the version this refers to.
For example, 3.0 is 2301, 3.1.1/3.1.2 is 2302, 3.2 is 2303. The first character of this
parameter can be one of the following >, <, =, !. This character tells the IRCd how to
interpret the version. If the first character is a > then all version greater than the
specified version are denied, if it is a < all versions lower are denied, if it is an = only
that version is denied, and if it is a ! then all versions except the specified are denied. The
deny::flags directive allows you to specify what compile time flags the server may or may not
have. The flags are arranged one after the other with no seperation between, if a character is
prefixed by a ! then it means the server may not have this flag compiled into it, if it does not
have a ! prefix, then it means the server must have this flag compiled. An * can be specified for both
the version and the flags to indicate that all are allowed.
15.2 Deny link block (D:line and d:line)
Syntax:
deny link {
mask <server-name>;
rule <crule-expression>;
type <type-of-denial>;
};
Example:
deny link {
mask *.ca;
rule "connected(hub.irc.net)";
type all;
};
This block allows you to use specific rules to deny a server from linking. The deny::mask
specifies a wildcard mask of the server name to apply this rule to. The deny::rule directive is
very complex. A crule expression allows you to control the link in great detail, and it is set
up like a programming expression. Four operators are supported, connected(<servermask>), returns
true if a server matching servermask is connected, directcon(<servermask>), returns true if the
server matching servermask is directly connected to this server, via(<viamask>,<servermask>),
returns true if a server matching servermask is connected by a server matching viamask, and
directop(), which returns true if the operator issuing a /connect is directly connected to this
server. These operators can be combined using && (and) and || (or), items may also be enclosed
in parenthesis to allow grouping. In addition, an operator preceded with a ! checks if the
operator returned false. If the entire expression evaluates to true, then the link is denied.
The deny::type allows two different values, auto (only applies to autoconnects, /connect will
still work), and all (applies to all connection attempts).
15.3 Deny channel block (chrestrict.conf)
Syntax:
deny channel {
channel <channel-mask>;
reason <reason-for-ban>;
};
Example:
deny channel {
channel "#*hack*";
reason "Hacking channels are not allowed";
};
The deny channel block allows you to disallow users from joining specific channels. The
deny::channel directive specifies a wildcard mask of channels the users may not join, and the
deny::reason specifies the reason why the channel may not be joined.
16.0 Allow channel block (N/A)
Syntax:
allow channel {
channel <channel-mask>;
};
Example:
allow channel {
channel "#help";
};
The allow channel block allows you to specify specific channels that users may join. The
allow::channel directive specifies the wildcard mask of the channels which may be joined.
17.0 Vhost block (vhost.conf)
Syntax:
vhost {
vhost <vhost>;
from {
userhost <hostmask>;
userhost <hostmask>;
...
};
login <login-name>;
password <password> { <auth-type>; };
};
Example:
vhost {
vhost "i.love.unrealircd.com";
from {
userhost "*@unrealircd.com";
};
login "codemastr";
password "hjddfsre";
};
The vhost block allows you to specify a login/password that can be used with the /vhost command
to obtain a fake hostname. The vhost::vhost parameter can be either a user@host or just a host
that the user will receive upon successful /vhost. The vhost::from::userhost contains a
user@host that the user must match to be eligable for the vhost. You may specify more than one
hostmask. The vhost::login in the login name the user must enter and vhost::password is the
password that must be entered. Lastly vhost::password:: allows you to specify the type of
authentication used by this item. The currently supported authentication types are crypt, md5,
and sha1.
18.0 Badword block (badwords.*.conf)
Syntax:
badword <type> {
word <regex-to-match>;
replace <replace-with>;
};
Example:
badword channel {
word "ass";
replace "butt";
};
The badword block allows you to manipulate the list used for user and channel mode +G to strip
"badwords". The badword:: specifies the type, valid types are channel and messages, channel is
for the channel +G list, and message is for the user +G list. The badword::word is a regular
expression of the word we should search for and remove. The badword::replace is what we should
replace this match with. If badword::replace is left out, the word is replaced with <censored>.
19.0 Ulines block (U:line)
Syntax:
ulines {
<server-name>;
<server-name>;
...
};
Example:
ulines {
services.unrealircd.com;
};
The ulines block lets you define certain servers as having extra abilities. This should only be
used for servers such as services and stats. This should not be set for a normal server. Each
entry is the name of the server which will receive the extra abilities.
20.0 Link block (C:line, N:line, H:line, and L:line)
fprintf(stderr,"7 = Enable NS 8 = Ignore end of burst\n");
fprintf(stderr,"9 = Enable SJ3 a = Enable SJB64\n");
fatal("incorrect argument count");
exit(1);
}
jupedservername=argv[1];
uplinkservername=argv[2];
jupereason=argv[3];
password=argv[5];
p=argv[4];
for(;*p;p++)
{
if(*p=='1')
options|=0x1;
if(*p=='2')
options|=0x2;
if(*p=='3')
options|=0x4;
if(*p=='4')
options|=0x8;
if(*p=='5')
options|=0x10;
if(*p=='6')
options|=0x20;
if(*p=='7')
options|=0x40;
if(*p=='8')
options|=0x80;
if(*p=='9')
options|=0x100;
if(*p=='a')
options|=0x200;
}
/* installe le signal_catcher */
signal(SIGTERM,(signalhandler)signal_catcher);
robot.read=robot.write=0;
initialize(&robot);
run_client(&robot);
exit(0);
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Bram Matthys