#include "ircd.h"
#include "snomask.h"
#include "sslproc.h"
+#include "wsproc.h"
#include "privilege.h"
#include "chmode.h"
#define CF_TYPE(x) ((x) & CF_MTYPE)
static int yy_defer_accept = 1;
+static int yy_wsock = 0;
struct TopConf *conf_cur_block;
static char *conf_cur_block_name = NULL;
static uint8_t yy_blacklist_iptype = 0;
static rb_dlink_list yy_blacklist_filters = { NULL, NULL, 0 };
+static char *yy_opm_address_ipv4 = NULL;
+static char *yy_opm_address_ipv6 = NULL;
+static uint16_t yy_opm_port_ipv4 = 0;
+static uint16_t yy_opm_port_ipv6 = 0;
+static int yy_opm_timeout = 0;
+static rb_dlink_list yy_opm_scanner_list;
+
static char *yy_privset_extends = NULL;
static const char *
};
static struct mode_table auth_table[] = {
- {"encrypted", CONF_FLAGS_ENCRYPTED },
- {"spoof_notice", CONF_FLAGS_SPOOF_NOTICE },
- {"exceed_limit", CONF_FLAGS_NOLIMIT },
- {"dnsbl_exempt", CONF_FLAGS_EXEMPTDNSBL },
- {"kline_exempt", CONF_FLAGS_EXEMPTKLINE },
- {"flood_exempt", CONF_FLAGS_EXEMPTFLOOD },
- {"spambot_exempt", CONF_FLAGS_EXEMPTSPAMBOT },
- {"shide_exempt", CONF_FLAGS_EXEMPTSHIDE },
- {"jupe_exempt", CONF_FLAGS_EXEMPTJUPE },
- {"resv_exempt", CONF_FLAGS_EXEMPTRESV },
- {"no_tilde", CONF_FLAGS_NO_TILDE },
- {"need_ident", CONF_FLAGS_NEED_IDENTD },
- {"have_ident", CONF_FLAGS_NEED_IDENTD },
- {"need_ssl", CONF_FLAGS_NEED_SSL },
- {"need_sasl", CONF_FLAGS_NEED_SASL },
- {"extend_chans", CONF_FLAGS_EXTEND_CHANS },
+ {"encrypted", CONF_FLAGS_ENCRYPTED },
+ {"spoof_notice", CONF_FLAGS_SPOOF_NOTICE },
+ {"exceed_limit", CONF_FLAGS_NOLIMIT },
+ {"dnsbl_exempt", CONF_FLAGS_EXEMPTDNSBL },
+ {"proxy_exempt", CONF_FLAGS_EXEMPTPROXY },
+ {"kline_exempt", CONF_FLAGS_EXEMPTKLINE },
+ {"flood_exempt", CONF_FLAGS_EXEMPTFLOOD },
+ {"spambot_exempt", CONF_FLAGS_EXEMPTSPAMBOT },
+ {"shide_exempt", CONF_FLAGS_EXEMPTSHIDE },
+ {"jupe_exempt", CONF_FLAGS_EXEMPTJUPE },
+ {"resv_exempt", CONF_FLAGS_EXEMPTRESV },
+ {"no_tilde", CONF_FLAGS_NO_TILDE },
+ {"need_ident", CONF_FLAGS_NEED_IDENTD },
+ {"have_ident", CONF_FLAGS_NEED_IDENTD },
+ {"need_ssl", CONF_FLAGS_NEED_SSL },
+ {"need_sasl", CONF_FLAGS_NEED_SASL },
+ {"extend_chans", CONF_FLAGS_EXTEND_CHANS },
{NULL, 0}
};
{ "kline", SHARED_PKLINE|SHARED_TKLINE },
{ "xline", SHARED_PXLINE|SHARED_TXLINE },
{ "resv", SHARED_PRESV|SHARED_TRESV },
- { "dline", SHARED_PDLINE|SHARED_TDLINE },
- { "tdline", SHARED_TDLINE },
- { "pdline", SHARED_PDLINE },
+ { "dline", SHARED_PDLINE|SHARED_TDLINE },
+ { "tdline", SHARED_TDLINE },
+ { "pdline", SHARED_PDLINE },
{ "undline", SHARED_UNDLINE },
{ "tkline", SHARED_TKLINE },
{ "unkline", SHARED_UNKLINE },
yy_defer_accept = *(unsigned int *) data;
}
+static void
+conf_set_listen_wsock(void *data)
+{
+ yy_wsock = *(unsigned int *) data;
+}
+
static void
conf_set_listen_port_both(void *data, int ssl)
{
conf_report_warning("listener 'ANY/%d': support for plaintext listeners may be removed in a future release per RFC 7194. "
"It is suggested that users be migrated to SSL/TLS connections.", args->v.number);
}
- add_listener(args->v.number, listener_address, AF_INET, ssl, ssl || yy_defer_accept);
+ add_listener(args->v.number, listener_address, AF_INET, ssl, ssl || yy_defer_accept, yy_wsock);
#ifdef RB_IPV6
- add_listener(args->v.number, listener_address, AF_INET6, ssl, ssl || yy_defer_accept);
+ add_listener(args->v.number, listener_address, AF_INET6, ssl, ssl || yy_defer_accept, yy_wsock);
#endif
}
else
"It is suggested that users be migrated to SSL/TLS connections.", listener_address, args->v.number);
}
- add_listener(args->v.number, listener_address, family, ssl, ssl || yy_defer_accept);
+ add_listener(args->v.number, listener_address, family, ssl, ssl || yy_defer_accept, yy_wsock);
}
-
}
}
yy_blacklist_reason = rb_strdup(data);
if (yy_blacklist_iptype & IPTYPE_IPV6)
{
- /* Make sure things fit (64 = alnum count + dots) */
+ /* Make sure things fit (magic number 64 = alnum count + dots)
+ * Example: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
+ */
if ((64 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN)
{
conf_report_error("blacklist::host %s results in IPv6 queries that are too long",
/* Avoid doing redundant check, IPv6 is bigger than IPv4 --Elizabeth */
if ((yy_blacklist_iptype & IPTYPE_IPV4) && !(yy_blacklist_iptype & IPTYPE_IPV6))
{
- /* Make sure things fit (16 = number of nums + dots) */
+ /* Make sure things fit for worst case (magic number 16 = number of nums + dots)
+ * Example: 127.127.127.127.in-addr.arpa
+ */
if ((16 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN)
{
conf_report_error("blacklist::host %s results in IPv4 queries that are too long",
yy_blacklist_iptype = 0;
}
+
+struct opm_scanner
+{
+ const char *type;
+ uint16_t port;
+
+ rb_dlink_node node;
+};
+
+static int
+conf_begin_opm(struct TopConf *tc)
+{
+ yy_opm_address_ipv4 = yy_opm_address_ipv6 = NULL;
+ yy_opm_port_ipv4 = yy_opm_port_ipv6 = yy_opm_timeout = 0;
+ return 0;
+}
+
+static int
+conf_end_opm(struct TopConf *tc)
+{
+ rb_dlink_node *ptr, *nptr;
+ bool fail = false;
+
+ if(!rb_dlink_list_length(&yy_opm_scanner_list))
+ {
+ conf_report_error("No opm scanners configured, disabling opm.");
+ fail = true;
+ goto end;
+ }
+
+ if(yy_opm_port_ipv4 > 0)
+ {
+ if(yy_opm_address_ipv4 != NULL)
+ create_opm_listener(yy_opm_address_ipv4, yy_opm_port_ipv4);
+ else
+ {
+ char ip[HOSTIPLEN];
+ if(!rb_inet_ntop_sock((struct sockaddr *)&ServerInfo.ip, ip, sizeof(ip)))
+ conf_report_error("No opm::listen_ipv4 nor serverinfo::vhost directive; cannot listen on IPv4");
+ else
+ create_opm_listener(ip, yy_opm_port_ipv4);
+ }
+ }
+
+ if(yy_opm_port_ipv6 > 0)
+ {
+ if(yy_opm_address_ipv6 != NULL)
+ create_opm_listener(yy_opm_address_ipv6, yy_opm_port_ipv6);
+ else
+ {
+ char ip[HOSTIPLEN];
+ if(!rb_inet_ntop_sock((struct sockaddr *)&ServerInfo.ip6, ip, sizeof(ip)))
+ conf_report_error("No opm::listen_ipv6 nor serverinfo::vhost directive; cannot listen on IPv6");
+ else
+ create_opm_listener(ip, yy_opm_port_ipv6);
+ }
+ }
+
+ /* If there's no listeners... */
+ fail = (yy_opm_port_ipv4 == 0 || yy_opm_port_ipv6 == 0);
+
+ if(!fail && yy_opm_timeout > 0)
+ /* Send timeout */
+ set_authd_timeout("opm_timeout", yy_opm_timeout);
+
+end:
+ RB_DLINK_FOREACH_SAFE(ptr, nptr, yy_opm_scanner_list.head)
+ {
+ struct opm_scanner *scanner = ptr->data;
+
+ if(!fail)
+ create_opm_proxy_scanner(scanner->type, scanner->port);
+
+ rb_dlinkDelete(&scanner->node, &yy_opm_scanner_list);
+ rb_free(scanner);
+ }
+
+ rb_free(yy_opm_address_ipv4);
+ rb_free(yy_opm_address_ipv6);
+ return 0;
+}
+
+static void
+conf_set_opm_timeout(void *data)
+{
+ int timeout = *((int *)data);
+
+ if(timeout <= 0 || timeout > 60)
+ {
+ conf_report_error("opm::timeout value %d is bogus, ignoring", timeout);
+ return;
+ }
+
+ yy_opm_timeout = timeout;
+}
+
+static void
+conf_set_opm_listen_address_both(void *data, bool ipv6)
+{
+ struct rb_sockaddr_storage addr;
+ const char *confstr = (ipv6 ? "opm::listen_ipv6" : "opm::listen_ipv4");
+ char *ip = data;
+
+ if(!rb_inet_pton_sock(ip, (struct sockaddr *)&addr))
+ {
+ conf_report_error("%s is an invalid address: %s", confstr, ip);
+ return;
+ }
+
+ if(ipv6)
+ {
+#ifdef RB_IPV6
+ if(GET_SS_FAMILY(&addr) != AF_INET6)
+ {
+ conf_report_error("%s is of the wrong address type: %s", confstr, ip);
+ return;
+ }
+
+ if(yy_opm_address_ipv6 != NULL)
+ {
+ conf_report_error("%s overwrites previous address %s", confstr, ip);
+ return;
+ }
+
+ yy_opm_address_ipv6 = rb_strdup(ip);
+#else
+ conf_report_error("%s requires IPv6 support in your ircd", confstr, ip);
+ return;
+#endif
+ }
+ else
+ {
+ if(GET_SS_FAMILY(&addr) != AF_INET)
+ {
+ conf_report_error("%s is of the wrong address type: %s", confstr, ip);
+ return;
+ }
+
+ if(yy_opm_address_ipv4 != NULL)
+ {
+ conf_report_error("%s overwrites previous address %s", confstr, ip);
+ return;
+ }
+
+ yy_opm_address_ipv4 = rb_strdup(ip);
+ }
+}
+
+static void
+conf_set_opm_listen_address_ipv4(void *data)
+{
+ conf_set_opm_listen_address_both(data, false);
+}
+
+static void
+conf_set_opm_listen_address_ipv6(void *data)
+{
+ conf_set_opm_listen_address_both(data, true);
+}
+
+static void
+conf_set_opm_listen_port_both(void *data, bool ipv6)
+{
+ int port = *((int *)data);
+ const char *confstr = (ipv6 ? "opm::port_ipv6" : "opm::port_ipv4");
+
+#ifndef RB_IPV6
+ if(ipv6)
+ {
+ conf_report_error("%s requires IPv6 support in your ircd", confstr);
+ return;
+ }
+#endif
+
+ if(port > 65535 || port <= 0)
+ {
+ conf_report_error("%s is out of range: %d", confstr, port);
+ return;
+ }
+
+ if(ipv6)
+ {
+ if(yy_opm_port_ipv4)
+ {
+ conf_report_error("%s overwrites existing port %hu",
+ confstr, yy_opm_port_ipv4);
+ return;
+ }
+
+ yy_opm_port_ipv4 = port;
+ }
+ else
+ {
+ if(yy_opm_port_ipv6)
+ {
+ conf_report_error("%s overwrites existing port %hu",
+ confstr, yy_opm_port_ipv6);
+ return;
+ }
+
+ yy_opm_port_ipv6 = port;
+ }
+}
+
+static void
+conf_set_opm_listen_port_ipv4(void *data)
+{
+ conf_set_opm_listen_port_both(data, false);
+}
+
+static void
+conf_set_opm_listen_port_ipv6(void *data)
+{
+ conf_set_opm_listen_port_both(data, true);
+}
+
+static void
+conf_set_opm_listen_port(void *data)
+{
+ conf_set_opm_listen_port_both(data, true);
+ conf_set_opm_listen_port_both(data, false);
+}
+
+static void
+conf_set_opm_scan_ports_all(void *data, const char *node, const char *type)
+{
+ conf_parm_t *args = data;
+ for (; args; args = args->next)
+ {
+ rb_dlink_node *ptr;
+ bool dup = false;
+
+ if(CF_TYPE(args->type) != CF_INT)
+ {
+ conf_report_error("%s argument is not an integer -- ignoring.", node);
+ continue;
+ }
+
+ if(args->v.number > 65535 || args->v.number <= 0)
+ {
+ conf_report_error("%s argument is not an integer between 1 and 65535 -- ignoring.", node);
+ continue;
+ }
+
+ /* Check for duplicates */
+ RB_DLINK_FOREACH(ptr, yy_opm_scanner_list.head)
+ {
+ struct opm_scanner *scanner = ptr->data;
+
+ if(scanner->port == args->v.number && strcmp(type, scanner->type) == 0)
+ {
+ conf_report_error("%s argument is duplicate", node);
+ dup = true;
+ break;
+ }
+ }
+
+ if(!dup)
+ {
+ struct opm_scanner *scanner = rb_malloc(sizeof(struct opm_scanner));
+ scanner->port = args->v.number;
+ scanner->type = type;
+ rb_dlinkAdd(scanner, &scanner->node, &yy_opm_scanner_list);
+ }
+ }
+}
+
+static void
+conf_set_opm_scan_ports_socks4(void *data)
+{
+ conf_set_opm_scan_ports_all(data, "opm::socks4_ports", "socks4");
+}
+
+static void
+conf_set_opm_scan_ports_socks5(void *data)
+{
+ conf_set_opm_scan_ports_all(data, "opm::socks5_ports", "socks5");
+}
+
+static void
+conf_set_opm_scan_ports_httpconnect(void *data)
+{
+ conf_set_opm_scan_ports_all(data, "opm::httpconnect_ports", "httpconnect");
+}
+
+static void
+conf_set_opm_scan_ports_httpsconnect(void *data)
+{
+ conf_set_opm_scan_ports_all(data, "opm::httpsconnect_ports", "httpsconnect");
+}
+
/* public functions */
add_top_conf("listen", conf_begin_listen, conf_end_listen, NULL);
add_conf_item("listen", "defer_accept", CF_YESNO, conf_set_listen_defer_accept);
+ add_conf_item("listen", "wsock", CF_YESNO, conf_set_listen_wsock);
add_conf_item("listen", "port", CF_INT | CF_FLIST, conf_set_listen_port);
add_conf_item("listen", "sslport", CF_INT | CF_FLIST, conf_set_listen_sslport);
add_conf_item("listen", "ip", CF_QSTRING, conf_set_listen_address);
add_conf_item("blacklist", "type", CF_STRING | CF_FLIST, conf_set_blacklist_type);
add_conf_item("blacklist", "matches", CF_QSTRING | CF_FLIST, conf_set_blacklist_matches);
add_conf_item("blacklist", "reject_reason", CF_QSTRING, conf_set_blacklist_reason);
+
+ add_top_conf("opm", conf_begin_opm, conf_end_opm, NULL);
+ add_conf_item("opm", "timeout", CF_INT, conf_set_opm_timeout);
+ add_conf_item("opm", "listen_ipv4", CF_QSTRING, conf_set_opm_listen_address_ipv4);
+ add_conf_item("opm", "listen_ipv6", CF_QSTRING, conf_set_opm_listen_address_ipv6);
+ add_conf_item("opm", "port_v4", CF_INT, conf_set_opm_listen_port_ipv4);
+ add_conf_item("opm", "port_v6", CF_INT, conf_set_opm_listen_port_ipv6);
+ add_conf_item("opm", "listen_port", CF_INT, conf_set_opm_listen_port);
+ add_conf_item("opm", "socks4_ports", CF_INT | CF_FLIST, conf_set_opm_scan_ports_socks4);
+ add_conf_item("opm", "socks5_ports", CF_INT | CF_FLIST, conf_set_opm_scan_ports_socks5);
+ add_conf_item("opm", "httpconnect_ports", CF_INT | CF_FLIST, conf_set_opm_scan_ports_httpconnect);
+ add_conf_item("opm", "httpsconnect_ports", CF_INT | CF_FLIST, conf_set_opm_scan_ports_httpsconnect);
}
projects / solanum.git / blobdiff