]> de.git.xonotic.org Git - xonotic/xonotic-data.pk3dir.git/blob - qcsrc/server/ipban.qc
Add cvars to control the minimum and maximum speed multiplier while spectating
[xonotic/xonotic-data.pk3dir.git] / qcsrc / server / ipban.qc
1 #include "ipban.qh"
2
3 #include <server/defs.qh>
4 #include <server/miscfunctions.qh>
5 #include "autocvars.qh"
6 #include "command/banning.qh"
7 #include "defs.qh"
8 #include "../common/constants.qh"
9 #include "../common/util.qh"
10
11 /*
12  * Protocol of online ban list:
13  *
14  * - Reporting a ban:
15  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
16  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
17  * - Removing a ban:
18  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
19  * - Querying the ban list
20  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
21  *
22  *     shows the bans from the listed servers, and possibly others.
23  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
24  *     newline ONLY (no carriage return):
25  *
26  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
27  *     time left in seconds
28  *     reason of the ban
29  *     server IP that registered the ban
30  */
31
32 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
33
34 float Ban_Insert(string ip, float bantime, string reason, float dosync);
35
36 void OnlineBanList_SendBan(string ip, float bantime, string reason)
37 {
38         string uri;
39         float i, n;
40
41         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
42         uri = strcat(uri, "&ip=", uri_escape(ip));
43         uri = strcat(uri, "&duration=", ftos(bantime));
44         uri = strcat(uri, "&reason=", uri_escape(reason));
45
46         n = tokenize_console(autocvar_g_ban_sync_uri);
47         if(n >= MAX_IPBAN_URIS)
48                 n = MAX_IPBAN_URIS;
49         for(i = 0; i < n; ++i)
50         {
51                 if(strstrofs(argv(i), "?", 0) >= 0)
52                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
53                 else
54                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
55         }
56 }
57
58 void OnlineBanList_SendUnban(string ip)
59 {
60         string uri;
61         float i, n;
62
63         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
64         uri = strcat(uri, "&ip=", uri_escape(ip));
65
66         n = tokenize_console(autocvar_g_ban_sync_uri);
67         if(n >= MAX_IPBAN_URIS)
68                 n = MAX_IPBAN_URIS;
69         for(i = 0; i < n; ++i)
70         {
71                 if(strstrofs(argv(i), "?", 0) >= 0)
72                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
73                 else
74                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
75         }
76 }
77
78 string OnlineBanList_Servers;
79 float OnlineBanList_Timeout;
80 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
81
82 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
83 {
84         float n, i, j, l;
85         string ip;
86         float timeleft;
87         string reason;
88         string serverip;
89         float syncinterval;
90         string uri;
91
92         id -= URI_GET_IPBAN;
93
94         if(id >= MAX_IPBAN_URIS)
95         {
96                 LOG_INFO("Received ban list for invalid ID");
97                 return;
98         }
99
100         tokenize_console(autocvar_g_ban_sync_uri);
101         uri = argv(id);
102
103         string prelude = strcat("Received ban list from ", uri, ": ");
104
105         if(OnlineBanList_RequestWaiting[id] == 0)
106         {
107                 LOG_INFO(prelude, "rejected (unexpected)");
108                 return;
109         }
110
111         OnlineBanList_RequestWaiting[id] = 0;
112
113         if(time > OnlineBanList_Timeout)
114         {
115                 LOG_INFO(prelude, "rejected (too late)");
116                 return;
117         }
118
119         syncinterval = autocvar_g_ban_sync_interval;
120         if(syncinterval == 0)
121         {
122                 LOG_INFO(prelude, "rejected (syncing disabled)");
123                 return;
124         }
125         if(syncinterval > 0)
126                 syncinterval *= 60;
127
128         if(status != 0)
129         {
130                 LOG_INFO(prelude, "error: status is ", ftos(status));
131                 return;
132         }
133
134         if(substring(data, 0, 1) == "<")
135         {
136                 LOG_INFO(prelude, "error: received HTML instead of a ban list");
137                 return;
138         }
139
140         if(strstrofs(data, "\r", 0) != -1)
141         {
142                 LOG_INFO(prelude, "error: received carriage returns");
143                 return;
144         }
145
146         if(data == "")
147                 n = 0;
148         else
149                 n = tokenizebyseparator(data, "\n");
150
151         if((n % 4) != 0)
152         {
153                 LOG_INFO(prelude, "error: received invalid item count: ", ftos(n));
154                 return;
155         }
156
157         LOG_INFO(prelude, "OK, ", ftos(n / 4), " items");
158
159         for(i = 0; i < n; i += 4)
160         {
161                 ip = argv(i);
162                 timeleft = stof(argv(i + 1));
163                 reason = argv(i + 2);
164                 serverip = argv(i + 3);
165
166                 LOG_TRACE("received ban list item ", ftos(i / 4), ": ip=", ip);
167                 LOG_TRACE(" timeleft=", ftos(timeleft), " reason=", reason);
168                 LOG_TRACE(" serverip=", serverip);
169
170                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
171                 if(timeleft < 0)
172                         continue;
173
174                 l = strlen(ip);
175                 if(l != 44) // length 44 is a cryptographic ID
176                 {
177                         for(j = 0; j < l; ++j)
178                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
179                                 {
180                                         LOG_INFO("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.");
181                                         goto skip;
182                                 }
183                 }
184
185                 if(autocvar_g_ban_sync_trusted_servers_verify)
186                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
187                                 continue;
188
189                 if(syncinterval > 0)
190                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
191                         // the ban will be prolonged on the next sync
192                         // or expire 5 seconds after the next timeout
193                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
194                 LOG_INFO("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ", reason);
195
196 LABEL(skip)
197         }
198 }
199
200 void OnlineBanList_Think(entity this)
201 {
202         float argc;
203         string uri;
204         float i, n;
205
206         if(autocvar_g_ban_sync_uri == "")
207                 goto killme;
208         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
209                 goto killme;
210         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
211         if(argc == 0)
212                 goto killme;
213
214         if(OnlineBanList_Servers)
215                 strunzone(OnlineBanList_Servers);
216         OnlineBanList_Servers = argv(0);
217         for(i = 1; i < argc; ++i)
218                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
219         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
220
221         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
222         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
223
224         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
225
226         n = tokenize_console(autocvar_g_ban_sync_uri);
227         if(n >= MAX_IPBAN_URIS)
228                 n = MAX_IPBAN_URIS;
229         for(i = 0; i < n; ++i)
230         {
231                 if(OnlineBanList_RequestWaiting[i])
232                         continue;
233                 OnlineBanList_RequestWaiting[i] = 1;
234                 if(strstrofs(argv(i), "?", 0) >= 0)
235                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
236                 else
237                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
238         }
239
240         if(autocvar_g_ban_sync_interval > 0)
241                 this.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
242         else
243                 goto killme;
244         return;
245
246 LABEL(killme)
247         delete(this);
248 }
249
250 const float BAN_MAX = 256;
251 float ban_loaded;
252 string ban_ip[BAN_MAX];
253 float ban_expire[BAN_MAX];
254 float ban_count;
255
256 string ban_ip1;
257 string ban_ip2;
258 string ban_ip3;
259 string ban_ip4;
260 string ban_idfp;
261
262 void Ban_SaveBans()
263 {
264         string out;
265         float i;
266
267         if(!ban_loaded)
268                 return;
269
270         // version of list
271         out = "1";
272         for(i = 0; i < ban_count; ++i)
273         {
274                 if(time > ban_expire[i])
275                         continue;
276                 out = strcat(out, " ", ban_ip[i]);
277                 out = strcat(out, " ", ftos(ban_expire[i] - time));
278         }
279         if(strlen(out) <= 1) // no real entries
280                 cvar_set("g_banned_list", "");
281         else
282                 cvar_set("g_banned_list", out);
283 }
284
285 float Ban_Delete(float i)
286 {
287         if(i < 0)
288                 return false;
289         if(i >= ban_count)
290                 return false;
291         if(ban_expire[i] == 0)
292                 return false;
293         if(ban_expire[i] > 0)
294         {
295                 OnlineBanList_SendUnban(ban_ip[i]);
296                 strunzone(ban_ip[i]);
297         }
298         ban_expire[i] = 0;
299         ban_ip[i] = "";
300         Ban_SaveBans();
301         return true;
302 }
303
304 void Ban_LoadBans()
305 {
306         float i, n;
307         for(i = 0; i < ban_count; ++i)
308                 Ban_Delete(i);
309         ban_count = 0;
310         ban_loaded = true;
311         n = tokenize_console(autocvar_g_banned_list);
312         if(stof(argv(0)) == 1)
313         {
314                 ban_count = (n - 1) / 2;
315                 for(i = 0; i < ban_count; ++i)
316                 {
317                         ban_ip[i] = strzone(argv(2*i+1));
318                         ban_expire[i] = time + stof(argv(2*i+2));
319                 }
320         }
321
322         entity e = new(bansyncer);
323         setthink(e, OnlineBanList_Think);
324         e.nextthink = time + 1;
325 }
326
327 void Ban_View()
328 {
329         float i, n;
330         string msg;
331
332         LOG_INFO("^2Listing all existing active bans:");
333
334         n = 0;
335         for(i = 0; i < ban_count; ++i)
336         {
337                 if(time > ban_expire[i])
338                         continue;
339
340                 ++n; // total number of existing bans
341
342                 msg = strcat("#", ftos(i), ": ");
343                 msg = strcat(msg, ban_ip[i], " is still banned for ");
344                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
345
346                 LOG_INFO("  ", msg);
347         }
348
349         LOG_INFO("^2Done listing all active (", ftos(n), ") bans.");
350 }
351
352 float Ban_GetClientIP(entity client)
353 {
354         // we can't use tokenizing here, as this is called during ban list parsing
355         float i1, i2, i3, i4;
356         string s;
357
358         if(client.crypto_idfp_signed)
359                 ban_idfp = client.crypto_idfp;
360         else
361                 ban_idfp = string_null;
362
363         s = client.netaddress;
364
365         i1 = strstrofs(s, ".", 0);
366         if(i1 < 0)
367                 goto ipv6;
368         i2 = strstrofs(s, ".", i1 + 1);
369         if(i2 < 0)
370                 return false;
371         i3 = strstrofs(s, ".", i2 + 1);
372         if(i3 < 0)
373                 return false;
374         i4 = strstrofs(s, ".", i3 + 1);
375         if(i4 >= 0)
376                 s = substring(s, 0, i4);
377
378         ban_ip1 = substring(s, 0, i1); // 8
379         ban_ip2 = substring(s, 0, i2); // 16
380         ban_ip3 = substring(s, 0, i3); // 24
381         ban_ip4 = strcat1(s); // 32
382         return true;
383
384 LABEL(ipv6)
385         i1 = strstrofs(s, ":", 0);
386         if(i1 < 0)
387                 return false;
388         i1 = strstrofs(s, ":", i1 + 1);
389         if(i1 < 0)
390                 return false;
391         i2 = strstrofs(s, ":", i1 + 1);
392         if(i2 < 0)
393                 return false;
394         i3 = strstrofs(s, ":", i2 + 1);
395         if(i3 < 0)
396                 return false;
397
398         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
399         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
400         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
401
402         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
403                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
404         else
405                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
406
407         return true;
408 }
409
410 float Ban_IsClientBanned(entity client, float idx)
411 {
412         float i, b, e, ipbanned;
413         if(!ban_loaded)
414                 Ban_LoadBans();
415         if(!Ban_GetClientIP(client))
416                 return false;
417         if(idx < 0)
418         {
419                 b = 0;
420                 e = ban_count;
421         }
422         else
423         {
424                 b = idx;
425                 e = idx + 1;
426         }
427         ipbanned = false;
428         for(i = b; i < e; ++i)
429         {
430                 string s;
431                 if(time > ban_expire[i])
432                         continue;
433                 s = ban_ip[i];
434                 if(ban_ip1 == s) ipbanned = true;
435                 if(ban_ip2 == s) ipbanned = true;
436                 if(ban_ip3 == s) ipbanned = true;
437                 if(ban_ip4 == s) ipbanned = true;
438                 if(ban_idfp == s) return true;
439         }
440         if(ipbanned)
441         {
442                 if(!autocvar_g_banned_list_idmode)
443                         return true;
444                 if (!ban_idfp)
445                         return true;
446         }
447         return false;
448 }
449
450 bool Ban_MaybeEnforceBan(entity client)
451 {
452         if (Ban_IsClientBanned(client, -1))
453         {
454                 string s = sprintf("^1NOTE:^7 banned client %s just tried to enter\n", client.netaddress);
455                 dropclient(client);
456                 bprint(s);
457                 return true;
458         }
459         return false;
460 }
461
462 .bool ban_checked;
463 bool Ban_MaybeEnforceBanOnce(entity client)
464 {
465         if (client.ban_checked) return false;
466         client.ban_checked = true;
467         return Ban_MaybeEnforceBan(client);
468 }
469
470 string Ban_Enforce(float j, string reason)
471 {
472         string s;
473
474         // Enforce our new ban
475         s = "";
476         FOREACH_CLIENTSLOT(IS_REAL_CLIENT(it),
477         {
478                 if(Ban_IsClientBanned(it, j))
479                 {
480                         if(reason != "")
481                         {
482                                 if(s == "")
483                                         reason = strcat(reason, ": affects ");
484                                 else
485                                         reason = strcat(reason, ", ");
486                                 reason = strcat(reason, it.netname);
487                         }
488                         s = strcat(s, "^1NOTE:^7 banned client ", it.netaddress, "^7 has to go\n");
489                         dropclient(it);
490                 }
491         });
492         bprint(s);
493
494         return reason;
495 }
496
497 float Ban_Insert(string ip, float bantime, string reason, float dosync)
498 {
499         float i;
500         float j;
501         float bestscore;
502
503         // already banned?
504         for(i = 0; i < ban_count; ++i)
505                 if(ban_ip[i] == ip)
506                 {
507                         // prolong the ban
508                         if(time + bantime > ban_expire[i])
509                         {
510                                 ban_expire[i] = time + bantime;
511                                 LOG_TRACE(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now");
512                         }
513                         else
514                                 LOG_TRACE(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now");
515
516                         // and enforce
517                         reason = Ban_Enforce(i, reason);
518
519                         // and abort
520                         if(dosync)
521                                 if(reason != "")
522                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
523                                                 OnlineBanList_SendBan(ip, bantime, reason);
524
525                         return false;
526                 }
527
528         // do we have a free slot?
529         for(i = 0; i < ban_count; ++i)
530                 if(time > ban_expire[i])
531                         break;
532         // no free slot? Then look for the one who would get unbanned next
533         if(i >= BAN_MAX)
534         {
535                 i = 0;
536                 bestscore = ban_expire[i];
537                 for(j = 1; j < ban_count; ++j)
538                 {
539                         if(ban_expire[j] < bestscore)
540                         {
541                                 i = j;
542                                 bestscore = ban_expire[i];
543                         }
544                 }
545         }
546         // if we replace someone, will we be banned longer than him (so long-term
547         // bans never get overridden by short-term bans)
548         if(i < ban_count)
549         if(ban_expire[i] > time + bantime)
550         {
551                 LOG_INFO(ip, " could not get banned due to no free ban slot");
552                 return false;
553         }
554         // okay, insert our new victim as i
555         Ban_Delete(i);
556         LOG_TRACE(ip, " has been banned for ", ftos(bantime), " seconds");
557         ban_expire[i] = time + bantime;
558         ban_ip[i] = strzone(ip);
559         ban_count = max(ban_count, i + 1);
560
561         Ban_SaveBans();
562
563         reason = Ban_Enforce(i, reason);
564
565         // and abort
566         if(dosync)
567                 if(reason != "")
568                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
569                                 OnlineBanList_SendBan(ip, bantime, reason);
570
571         return true;
572 }
573
574 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
575 {
576         string ip, id;
577         if(!Ban_GetClientIP(client))
578         {
579                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
580                 dropclient(client);
581                 return;
582         }
583
584         // who to ban?
585         switch(masksize)
586         {
587                 case 1:
588                         ip = strcat1(ban_ip1);
589                         break;
590                 case 2:
591                         ip = strcat1(ban_ip2);
592                         break;
593                 case 3:
594                         ip = strcat1(ban_ip3);
595                         break;
596                 case 4:
597                 default:
598                         ip = strcat1(ban_ip4);
599                         break;
600         }
601         if(ban_idfp)
602                 id = strcat1(ban_idfp);
603         else
604                 id = string_null;
605
606         Ban_Insert(ip, bantime, reason, 1);
607         if(id)
608                 Ban_Insert(id, bantime, reason, 1);
609         /*
610          * not needed, as we enforce the ban in Ban_Insert anyway
611         // and kick him
612         sprint(client, strcat("Kickbanned: ", reason, "\n"));
613         dropclient(client);
614          */
615 }