X-Git-Url: https://jfr.im/git/irc/quakenet/newserv.git/blobdiff_plain/2ba75e9561528f2470f6f90821358067817aa523..04b5f1160dbde3d7ee6059e778cbd6835727c723:/trusts/trusts_policy.c diff --git a/trusts/trusts_policy.c b/trusts/trusts_policy.c index 0ae5d0eb..b5c70d8e 100644 --- a/trusts/trusts_policy.c +++ b/trusts/trusts_policy.c @@ -5,6 +5,7 @@ #include #include #include +#include #ifndef __USE_MISC #define __USE_MISC /* inet_aton */ @@ -16,6 +17,7 @@ #include #include +#include "../lib/version.h" #include "../lib/hmac.h" #include "../core/events.h" #include "../core/schedule.h" @@ -26,8 +28,11 @@ #include "../lib/irc_string.h" #include "../irc/irc.h" #include "../glines/glines.h" +#include "../patricianick/patricianick.h" #include "trusts.h" +MODULE_VERSION(""); + static int countext, enforcepolicy_irc, enforcepolicy_auth; #define TRUSTBUFSIZE 8192 @@ -45,6 +50,7 @@ typedef struct trustsocket { time_t timeout; int accepted; int rejected; + int unthrottled; struct trustsocket *next; } trustsocket; @@ -61,13 +67,22 @@ typedef struct trustaccount { trustaccount trustaccounts[MAXSERVERS]; -static int checkconnectionth(const char *username, struct irc_in_addr *ip, trusthost *th, int hooknum, int usercountadjustment, char *message, size_t messagelen) { +static int checkconnection(const char *username, struct irc_in_addr *ipaddress, int hooknum, int usercountadjustment, char *message, size_t messagelen, int *unthrottle) { + trusthost *th; trustgroup *tg; + struct irc_in_addr ipaddress_canonical; + + ip_canonicalize_tunnel(&ipaddress_canonical, ipaddress); + + th = th_getbyhost(&ipaddress_canonical); + + if (unthrottle) + *unthrottle = 0; if(messagelen>0) message[0] = '\0'; - if(!th || !trustsdbloaded) + if(!th || !trustsdbloaded || irc_in_addr_is_loopback(ipaddress)) return POLICY_SUCCESS; tg = th->group; @@ -81,19 +96,30 @@ static int checkconnectionth(const char *username, struct irc_in_addr *ip, trust if(hooknum == HOOK_TRUSTS_NEWNICK) { patricia_node_t *head, *node; - int nodecount = 0; - - head = refnode(iptree, ip, th->nodebits); - PATRICIA_WALK(head, node) - { - nodecount += node->usercount; + int i, nodecount = 0; + patricianick_t *pnp; + nick *npp; + + head = refnode(iptree, &ipaddress_canonical, th->nodebits); + nodecount = head->usercount; + + /* Account for borrowed IP addresses. */ + PATRICIA_WALK(head, node) { + pnp = node->exts[pnode_ext]; + + if (pnp) + for (i = 0; i < PATRICIANICK_HASHSIZE; i++) + for (npp = pnp->identhash[i]; npp; npp=npp->exts[pnick_ext]) + if (NickOnServiceServer(npp)) + usercountadjustment--; } PATRICIA_WALK_END; + derefnode(iptree, head); if(th->maxpernode && nodecount + usercountadjustment > th->maxpernode) { - controlwall(NO_OPER, NL_TRUSTS, "Hard connection limit exceeded on subnet: %s (group: %s): %d connected, %d max.", trusts_cidr2str(ip, th->nodebits), tg->name->content, nodecount, th->maxpernode); - snprintf(message, messagelen, "Too many connections from your host (%s) - see http://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ip)); + controlwall(NO_OPER, NL_CLONING, "Hard connection limit exceeded on subnet: %s (group: %s): %d connected, %d max.", CIDRtostr(*ipaddress, th->nodebits), tg->name->content, nodecount + usercountadjustment, th->maxpernode); + snprintf(message, messagelen, "Too many connections from your host (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ipaddress)); return POLICY_FAILURE_NODECOUNT; } @@ -101,17 +127,17 @@ static int checkconnectionth(const char *username, struct irc_in_addr *ip, trust if(tg->count > (long)tg->exts[countext]) { tg->exts[countext] = (void *)(long)tg->count; - controlwall(NO_OPER, NL_TRUSTS, "Hard connection limit exceeded (group %s): %d connected, %d max.", tg->name->content, tg->count, tg->trustedfor); - snprintf(message, messagelen, "Too many connections from your trust (%s) - see http://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ip)); - return POLICY_FAILURE_GROUPCOUNT; + controlwall(NO_OPER, NL_CLONING, "Hard connection limit exceeded (group %s): %d connected, %d max.", tg->name->content, tg->count + usercountadjustment, tg->trustedfor); + snprintf(message, messagelen, "Too many connections from your trust (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ipaddress)); } - - snprintf(message, messagelen, "Trust has %d out of %d allowed connections.", tg->count + usercountadjustment, tg->trustedfor); + + snprintf(message, messagelen, "Too many connections from your trust (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ipaddress)); + return POLICY_FAILURE_GROUPCOUNT; } if((tg->flags & TRUST_ENFORCE_IDENT) && (username[0] == '~')) { - controlwall(NO_OPER, NL_TRUSTS, "Ident required: %s@%s (group: %s).", username, IPtostr(*ip), tg->name->content); - snprintf(message, messagelen, "IDENTD required from your host (%s) - see http://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ip)); + controlwall(NO_OPER, NL_CLONING, "Ident required: %s@%s (group: %s).", username, IPtostr(*ipaddress), tg->name->content); + snprintf(message, messagelen, "IDENTD required from your host (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ipaddress)); return POLICY_FAILURE_IDENTD; } @@ -128,8 +154,8 @@ static int checkconnectionth(const char *username, struct irc_in_addr *ip, trust } if(identcount + usercountadjustment > tg->maxperident) { - controlwall(NO_OPER, NL_TRUSTS, "Hard ident limit exceeded: %s@%s (group: %s): %d connected, %d max.", username, IPtostr(*ip), tg->name->content, identcount, tg->maxperident); - snprintf(message, messagelen, "Too many connections from your username (%s@%s) - see http://www.quakenet.org/help/trusts/connection-limit for details.", username, IPtostr(*ip)); + controlwall(NO_OPER, NL_CLONING, "Hard ident limit exceeded: %s@%s (group: %s): %d connected, %d max.", username, IPtostr(*ipaddress), tg->name->content, identcount + usercountadjustment, tg->maxperident); + snprintf(message, messagelen, "Too many connections from your username (%s@%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", username, IPtostr(*ipaddress)); return POLICY_FAILURE_IDENTCOUNT; } } @@ -138,14 +164,13 @@ static int checkconnectionth(const char *username, struct irc_in_addr *ip, trust tg->exts[countext] = (void *)(long)tg->count; } - return POLICY_SUCCESS; -} + if(tg->trustedfor > 0) + snprintf(message, messagelen, "Trust has %d out of %d allowed connections.", tg->count + usercountadjustment, tg->trustedfor); -static int checkconnection(const char *username, struct irc_in_addr *ip, int hooknum, int cloneadjustment, char *message, size_t messagelen) { - struct irc_in_addr ip_canonicalized; - ip_canonicalize_tunnel(&ip_canonicalized, ip); + if(unthrottle && (tg->flags & TRUST_UNTHROTTLE)) + *unthrottle = 1; - return checkconnectionth(username, &ip_canonicalized, th_getbyhost(&ip_canonicalized), hooknum, cloneadjustment, message, messagelen); + return POLICY_SUCCESS; } static int trustdowrite(trustsocket *sock, char *format, ...) { @@ -169,16 +194,16 @@ static int trustdowrite(trustsocket *sock, char *format, ...) { static int policycheck_auth(trustsocket *sock, const char *sequence_id, const char *username, const char *host) { char message[512]; - int verdict; - struct irc_in_addr ip; + int verdict, unthrottle; + struct irc_in_addr ipaddress; unsigned char bits; - - if(!ipmask_parse(host, &ip, &bits)) { + + if(!ipmask_parse(host, &ipaddress, &bits)) { sock->accepted++; return trustdowrite(sock, "PASS %s", sequence_id); } - - verdict = checkconnection(username, &ip, HOOK_TRUSTS_NEWNICK, 1, message, sizeof(message)); + + verdict = checkconnection(username, &ipaddress, HOOK_TRUSTS_NEWNICK, 1, message, sizeof(message), &unthrottle); if(!enforcepolicy_auth) verdict = POLICY_SUCCESS; @@ -186,6 +211,11 @@ static int policycheck_auth(trustsocket *sock, const char *sequence_id, const ch if (verdict == POLICY_SUCCESS) { sock->accepted++; + if (unthrottle) { + sock->unthrottled++; + trustdowrite(sock, "UNTHROTTLE %s", sequence_id); + } + if(message[0]) return trustdowrite(sock, "PASS %s %s", sequence_id, message); else @@ -193,7 +223,7 @@ static int policycheck_auth(trustsocket *sock, const char *sequence_id, const ch } else { sock->rejected++; - controlwall(NO_OPER, NL_TRUSTS, "Rejected connection from %s@%s using IAuth: %s", username, host, message); + controlwall(NO_OPER, NL_CLONING, "Rejected connection from %s@%s using IAuth: %s", username, host, message); return trustdowrite(sock, "KILL %s %s", sequence_id, message); } } @@ -203,18 +233,24 @@ static int trustkillconnection(trustsocket *sock, char *reason) { return 0; } -static void trustfreeconnection(trustsocket *sock) { - trustsocket **pnext = &tslist; - - for(trustsocket *ts=tslist;ts;ts=ts->next) { +static void trustfreeconnection(trustsocket *sock, int unlink) { + trustsocket **pnext, *ts; + + if(!unlink) { + controlwall(NO_OPER, NL_TRUSTS, "Lost connection on policy socket for '%s'.", sock->authed?sock->authuser:""); + + deregisterhandler(sock->fd, 1); + nsfree(POOL_TRUSTS, sock); + return; + } + + for(pnext=&tslist;*pnext;pnext=&((*pnext)->next)) { + ts=*pnext; if(ts == sock) { - deregisterhandler(sock->fd, 1); *pnext = sock->next; - nsfree(POOL_TRUSTS, sock); + trustfreeconnection(sock, 0); break; } - - pnext = &(sock->next); } } @@ -224,6 +260,7 @@ static int handletrustauth(trustsocket *sock, char *server_name, char *mac) { unsigned char digest[16]; char noncehexbuf[NONCELEN * 2 + 1]; char hexbuf[sizeof(digest) * 2 + 1]; + trustsocket *ts, **pnext; for(i=0;inext)) { + ts = *pnext; + if(ts->authed && strcmp(ts->authuser, server_name) == 0) { + trustkillconnection(ts, "New connection with same server name."); + *pnext = ts->next; + trustfreeconnection(ts, 0); + break; + } + } + sock->authed = 1; strncpy(sock->authuser, server_name, SERVERLEN); @@ -290,6 +337,9 @@ static int handletrustline(trustsocket *sock, char *line) { policycheck_auth(sock, tokens[0], tokens[1], tokens[2]); return 1; + } else if(!strcmp("VERSION", command)) { + /* Ignore this command for now. */ + return 1; } else { Error("trusts_policy", ERR_WARNING, "Bad command: %s", command); return 0; @@ -340,31 +390,28 @@ static void processtrustclient(int fd, short events) { if(!sock) return; - + + if (events & (POLLPRI | POLLERR | POLLHUP | POLLNVAL)) { + trustfreeconnection(sock, 1); + return; + } + if(events & POLLIN) if(!handletrustclient(sock)) - trustfreeconnection(sock); + trustfreeconnection(sock, 1); } static void trustdotimeout(void *arg) { time_t t = time(NULL); - trustsocket **pnext, *next, *sock; - - pnext = &tslist; - - for(sock=tslist;sock;) { - next = sock->next; + trustsocket **pnext, *sock; + for(pnext=&tslist;*pnext;pnext=&((*pnext)->next)) { + sock = *pnext; if(!sock->authed && t >= sock->timeout) { trustkillconnection(sock, "Auth timeout."); - deregisterhandler(sock->fd, 1); *pnext = sock->next; - nsfree(POOL_TRUSTS, sock); - } else { - pnext = &(sock->next); + trustfreeconnection(sock, 0); } - - sock=next; } } @@ -372,6 +419,7 @@ static void processtrustlistener(int fd, short events) { if(events & POLLIN) { trustsocket *sock; char buf[NONCELEN * 2 + 1]; + int optval; int newfd = accept(fd, NULL, NULL), flags; if(newfd == -1) @@ -390,6 +438,15 @@ static void processtrustlistener(int fd, short events) { return; } + optval = 10; + setsockopt(newfd, SOL_SOCKET, TCP_KEEPIDLE, &optval, sizeof(optval)); + optval = 3; + setsockopt(newfd, SOL_SOCKET, TCP_KEEPCNT, &optval, sizeof(optval)); + optval = 10; + setsockopt(newfd, SOL_SOCKET, TCP_KEEPINTVL, &optval, sizeof(optval)); + optval = 1; + setsockopt(newfd, SOL_SOCKET, SO_KEEPALIVE, &optval, sizeof(optval)); + registerhandler(newfd, POLLIN|POLLERR|POLLHUP, processtrustclient); sock = nsmalloc(POOL_TRUSTS, sizeof(trustsocket)); @@ -414,6 +471,7 @@ static void processtrustlistener(int fd, short events) { sock->timeout = time(NULL) + 30; sock->accepted = 0; sock->rejected = 0; + sock->unthrottled = 0; if(!trustdowrite(sock, "AUTH %s", hmac_printhex(sock->nonce, buf, NONCELEN))) { Error("trusts_policy", ERR_WARNING, "Error writing auth to fd %d.", newfd); deregisterhandler(newfd, 1); @@ -466,12 +524,12 @@ static void policycheck_irc(int hooknum, void *arg) { nick *np = args[0]; long moving = (long)args[1]; char message[512]; - int verdict; + int verdict, unthrottle; if(moving) return; - verdict = checkconnectionth(np->ident, &np->p_nodeaddr, gettrusthost(np), hooknum, 0, message, sizeof(message)); + verdict = checkconnection(np->ident, &np->ipaddress, hooknum, 0, message, sizeof(message), &unthrottle); if(!enforcepolicy_irc) verdict = POLICY_SUCCESS; @@ -481,12 +539,13 @@ static void policycheck_irc(int hooknum, void *arg) { glinebynick(np, POLICY_GLINE_DURATION, message, GLINE_IGNORE_TRUST, "trusts_policy"); break; case POLICY_FAILURE_IDENTD: - glinebyip("~*", &np->p_ipaddr, 128, POLICY_GLINE_DURATION, message, GLINE_ALWAYS_USER|GLINE_IGNORE_TRUST, "trusts_policy"); + glinebyip("~*", &np->ipaddress, 128, POLICY_GLINE_DURATION, message, GLINE_ALWAYS_USER|GLINE_IGNORE_TRUST, "trusts_policy"); break; case POLICY_FAILURE_IDENTCOUNT: glinebynick(np, POLICY_GLINE_DURATION, message, GLINE_ALWAYS_USER|GLINE_IGNORE_TRUST, "trusts_policy"); break; } + } static int trusts_cmdtrustpolicyirc(void *source, int cargc, char **cargv) { @@ -527,10 +586,10 @@ static int trusts_cmdtrustsockets(void *source, int cargc, char **cargv) { time(&now); - controlreply(sender, "Server Connected for Accepted Rejected"); + controlreply(sender, "Server Connected for Accepted Rejected Unthrottled"); for(sock=tslist;sock;sock=sock->next) - controlreply(sender, "%-20s %20s %10d %15d", sock->authed?sock->authuser:"", longtoduration(now - sock->connected, 0), sock->accepted, sock->rejected); + controlreply(sender, "%-35s %-20s %-15d %-15d %-15d", sock->authed?sock->authuser:"", longtoduration(now - sock->connected, 0), sock->accepted, sock->rejected, sock->unthrottled); controlreply(sender, "-- End of list."); return CMD_OK; @@ -648,7 +707,7 @@ void _fini(void) { next = sock->next; trustkillconnection(sock, "Unloading module."); - trustfreeconnection(sock); + trustfreeconnection(sock, 0); sock = next; }