qcsrc/server/ipban.qc

   1 /*
   2  * Protocol of online ban list:
   3  *
   4  * - Reporting a ban:
   5  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
   6  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
   7  * - Removing a ban:
   8  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
   9  * - Querying the ban list
  10  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  11  *
  12  *     shows the bans from the listed servers, and possibly others.
  13  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  14  *     newline ONLY (no carriage return):
  15  *
  16  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  17  *     time left in seconds
  18  *     reason of the ban
  19  *     server IP that registered the ban
  20  */
  21
  22 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  23
  24 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  25 {
  26         string uri;
  27         float i, n;
  28
  29         uri = strcat(     "action=ban&hostname=", uri_escape(cvar_string("hostname")));
  30         uri = strcat(uri, "&ip=", uri_escape(ip));
  31         uri = strcat(uri, "&duration=", ftos(bantime));
  32         uri = strcat(uri, "&reason=", uri_escape(reason));
  33
  34         n = tokenize_console(cvar_string("g_ban_sync_uri"));
  35         if(n >= MAX_IPBAN_URIS)
  36                 n = MAX_IPBAN_URIS;
  37         for(i = 0; i < n; ++i)
  38         {
  39                 if(strstrofs(argv(i), "?", 0) >= 0)
  40                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  41                 else
  42                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  43         }
  44 }
  45
  46 void OnlineBanList_SendUnban(string ip)
  47 {
  48         string uri;
  49         float i, n;
  50
  51         uri = strcat(     "action=unban&hostname=", uri_escape(cvar_string("hostname")));
  52         uri = strcat(uri, "&ip=", uri_escape(ip));
  53
  54         n = tokenize_console(cvar_string("g_ban_sync_uri"));
  55         if(n >= MAX_IPBAN_URIS)
  56                 n = MAX_IPBAN_URIS;
  57         for(i = 0; i < n; ++i)
  58         {
  59                 if(strstrofs(argv(i), "?", 0) >= 0)
  60                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  61                 else
  62                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  63         }
  64 }
  65
  66 string OnlineBanList_Servers;
  67 float OnlineBanList_Timeout;
  68 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  69
  70 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  71 {
  72         float n, i, j, l;
  73         string ip;
  74         float timeleft;
  75         string reason;
  76         string serverip;
  77         float syncinterval;
  78         string uri;
  79
  80         id -= URI_GET_IPBAN;
  81
  82         if(id >= MAX_IPBAN_URIS)
  83         {
  84                 print("Received ban list for invalid ID\n");
  85                 return;
  86         }
  87
  88         tokenize_console(cvar_string("g_ban_sync_uri"));
  89         uri = argv(id);
  90
  91         print("Received ban list from ", uri, ": ");
  92
  93         if(OnlineBanList_RequestWaiting[id] == 0)
  94         {
  95                 print("rejected (unexpected)\n");
  96                 return;
  97         }
  98
  99         OnlineBanList_RequestWaiting[id] = 0;
 100
 101         if(time > OnlineBanList_Timeout)
 102         {
 103                 print("rejected (too late)\n");
 104                 return;
 105         }
 106
 107         syncinterval = cvar("g_ban_sync_interval");
 108         if(syncinterval == 0)
 109         {
 110                 print("rejected (syncing disabled)\n");
 111                 return;
 112         }
 113         if(syncinterval > 0)
 114                 syncinterval *= 60;
 115
 116         if(status != 0)
 117         {
 118                 print("error: status is ", ftos(status), "\n");
 119                 return;
 120         }
 121
 122         if(substring(data, 0, 1) == "<")
 123         {
 124                 print("error: received HTML instead of a ban list\n");
 125                 return;
 126         }
 127
 128         if(strstrofs(data, "\r", 0) != -1)
 129         {
 130                 print("error: received carriage returns\n");
 131                 return;
 132         }
 133
 134         if(data == "")
 135                 n = 0;
 136         else
 137                 n = tokenizebyseparator(data, "\n");
 138
 139         if(mod(n, 4) != 0)
 140         {
 141                 print("error: received invalid item count: ", ftos(n), "\n");
 142                 return;
 143         }
 144
 145         print("OK, ", ftos(n / 4), " items\n");
 146
 147         for(i = 0; i < n; i += 4)
 148         {
 149                 ip = argv(i);
 150                 timeleft = stof(argv(i + 1));
 151                 reason = argv(i + 2);
 152                 serverip = argv(i + 3);
 153
 154                 dprint("received ban list item ", ftos(i / 4), ": ip=", ip);
 155                 dprint(" timeleft=", ftos(timeleft), " reason=", reason);
 156                 dprint(" serverip=", serverip, "\n");
 157
 158                 timeleft -= 1.5 * cvar("g_ban_sync_timeout");
 159                 if(timeleft < 0)
 160                         continue;
 161
 162                 l = strlen(ip);
 163                 for(j = 0; j < l; ++j)
 164                         if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 165                         {
 166                                 print("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 167                                 goto skip;
 168                         }
 169
 170                 if(cvar("g_ban_sync_trusted_servers_verify"))
 171                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 172                                 continue;
 173
 174                 if(syncinterval > 0)
 175                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 176                         // the ban will be prolonged on the next sync
 177                         // or expire 5 seconds after the next timeout
 178                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 179                 print("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 180                 print(reason, "\n");
 181
 182 :skip
 183         }
 184 }
 185
 186 void OnlineBanList_Think()
 187 {
 188         float argc;
 189         string uri;
 190         float i, n;
 191
 192         if(cvar_string("g_ban_sync_uri") == "")
 193                 goto killme;
 194         if(cvar("g_ban_sync_interval") == 0) // < 0 is okay, it means "sync on level start only"
 195                 goto killme;
 196         argc = tokenize_console(cvar_string("g_ban_sync_trusted_servers"));
 197         if(argc == 0)
 198                 goto killme;
 199
 200         if(OnlineBanList_Servers)
 201                 strunzone(OnlineBanList_Servers);
 202         OnlineBanList_Servers = argv(0);
 203         for(i = 1; i < argc; ++i)
 204                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 205         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 206
 207         uri = strcat(     "action=list&hostname=", uri_escape(cvar_string("hostname")));
 208         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 209
 210         OnlineBanList_Timeout = time + cvar("g_ban_sync_timeout");
 211
 212         n = tokenize_console(cvar_string("g_ban_sync_uri"));
 213         if(n >= MAX_IPBAN_URIS)
 214                 n = MAX_IPBAN_URIS;
 215         for(i = 0; i < n; ++i)
 216         {
 217                 if(OnlineBanList_RequestWaiting[i])
 218                         continue;
 219                 OnlineBanList_RequestWaiting[i] = 1;
 220                 if(strstrofs(argv(i), "?", 0) >= 0)
 221                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 222                 else
 223                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 224         }
 225
 226         if(cvar("g_ban_sync_interval") > 0)
 227                 self.nextthink = time + max(60, cvar("g_ban_sync_interval") * 60);
 228         else
 229                 goto killme;
 230         return;
 231
 232 :killme
 233         remove(self);
 234 }
 235
 236 #define BAN_MAX 256
 237 float ban_loaded;
 238 string ban_ip[BAN_MAX];
 239 float ban_expire[BAN_MAX];
 240 float ban_count;
 241
 242 string ban_ip1;
 243 string ban_ip2;
 244 string ban_ip3;
 245 string ban_ip4;
 246 #ifdef UID
 247 string ban_uid;
 248 #endif
 249
 250 void Ban_SaveBans()
 251 {
 252         string out;
 253         float i;
 254
 255         if(!ban_loaded)
 256                 return;
 257
 258         // version of list
 259         out = "1";
 260         for(i = 0; i < ban_count; ++i)
 261         {
 262                 if(time > ban_expire[i])
 263                         continue;
 264                 out = strcat(out, " ", ban_ip[i]);
 265                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 266         }
 267         if(strlen(out) <= 1) // no real entries
 268                 cvar_set("g_banned_list", "");
 269         else
 270                 cvar_set("g_banned_list", out);
 271 }
 272
 273 float Ban_Delete(float i)
 274 {
 275         if(i < 0)
 276                 return FALSE;
 277         if(i >= ban_count)
 278                 return FALSE;
 279         if(ban_expire[i] == 0)
 280                 return FALSE;
 281         if(ban_expire[i] > 0)
 282         {
 283                 OnlineBanList_SendUnban(ban_ip[i]);
 284                 strunzone(ban_ip[i]);
 285         }
 286         ban_expire[i] = 0;
 287         ban_ip[i] = "";
 288         Ban_SaveBans();
 289         return TRUE;
 290 }
 291
 292 void Ban_LoadBans()
 293 {
 294         float i, n;
 295         for(i = 0; i < ban_count; ++i)
 296                 Ban_Delete(i);
 297         ban_count = 0;
 298         ban_loaded = TRUE;
 299         n = tokenize_console(cvar_string("g_banned_list"));
 300         if(stof(argv(0)) == 1)
 301         {
 302                 ban_count = (n - 1) / 2;
 303                 for(i = 0; i < ban_count; ++i)
 304                 {
 305                         ban_ip[i] = strzone(argv(2*i+1));
 306                         ban_expire[i] = time + stof(argv(2*i+2));
 307                 }
 308         }
 309
 310         entity e;
 311         e = spawn();
 312         e.classname = "bansyncer";
 313         e.think = OnlineBanList_Think;
 314         e.nextthink = time + 1;
 315 }
 316
 317 void Ban_View()
 318 {
 319         float i;
 320         string msg;
 321         for(i = 0; i < ban_count; ++i)
 322         {
 323                 if(time > ban_expire[i])
 324                         continue;
 325                 msg = strcat("#", ftos(i), ": ");
 326                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 327                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 328                 print(msg, "\n");
 329         }
 330 }
 331
 332 float Ban_GetClientIP(entity client)
 333 {
 334         // we can't use tokenizing here, as this is called during ban list parsing
 335         float i1, i2, i3, i4;
 336         string s;
 337
 338         s = client.netaddress;
 339
 340         i1 = strstrofs(s, ".", 0);
 341         if(i1 < 0)
 342                 return FALSE;
 343         i2 = strstrofs(s, ".", i1 + 1);
 344         if(i2 < 0)
 345                 return FALSE;
 346         i3 = strstrofs(s, ".", i2 + 1);
 347         if(i3 < 0)
 348                 return FALSE;
 349         i4 = strstrofs(s, ".", i3 + 1);
 350         if(i4 >= 0)
 351                 return FALSE;
 352
 353         ban_ip1 = substring(s, 0, i1);
 354         ban_ip2 = substring(s, 0, i2);
 355         ban_ip3 = substring(s, 0, i3);
 356         ban_ip4 = strcat1(s);
 357 #ifdef UID
 358         ban_uid = client.uid;
 359 #endif
 360
 361         return TRUE;
 362 }
 363
 364 float Ban_IsClientBanned(entity client, float idx)
 365 {
 366         float i, b, e;
 367         if(!ban_loaded)
 368                 Ban_LoadBans();
 369         if(!Ban_GetClientIP(client))
 370                 return FALSE;
 371         if(idx < 0)
 372         {
 373                 b = 0;
 374                 e = ban_count;
 375         }
 376         else
 377         {
 378                 b = idx;
 379                 e = idx + 1;
 380         }
 381         for(i = b; i < e; ++i)
 382         {
 383                 string s;
 384                 if(time > ban_expire[i])
 385                         continue;
 386                 s = ban_ip[i];
 387                 if(ban_ip1 == s) return TRUE;
 388                 if(ban_ip2 == s) return TRUE;
 389                 if(ban_ip3 == s) return TRUE;
 390                 if(ban_ip4 == s) return TRUE;
 391 #ifdef UID
 392                 if(ban_uid == s) return TRUE;
 393 #endif
 394         }
 395         return FALSE;
 396 }
 397
 398 float Ban_MaybeEnforceBan(entity client)
 399 {
 400         if(Ban_IsClientBanned(client, -1))
 401         {
 402                 string s;
 403                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
 404                 dropclient(client);
 405                 bprint(s);
 406                 return TRUE;
 407         }
 408         return FALSE;
 409 }
 410
 411 string Ban_Enforce(float i, string reason)
 412 {
 413         string s;
 414         entity e;
 415
 416         // Enforce our new ban
 417         s = "";
 418         FOR_EACH_REALCLIENT(e)
 419                 if(Ban_IsClientBanned(e, i))
 420                 {
 421                         if(reason != "")
 422                         {
 423                                 if(s == "")
 424                                         reason = strcat(reason, ": affects ");
 425                                 else
 426                                         reason = strcat(reason, ", ");
 427                                 reason = strcat(reason, e.netname);
 428                         }
 429                         s = strcat(s, "^1NOTE:^7 banned client ", e.netname, "^7 has to go\n");
 430                         dropclient(e);
 431                 }
 432         bprint(s);
 433
 434         return reason;
 435 }
 436
 437 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 438 {
 439         float i;
 440         float j;
 441         float bestscore;
 442
 443         // already banned?
 444         for(i = 0; i < ban_count; ++i)
 445                 if(ban_ip[i] == ip)
 446                 {
 447                         // prolong the ban
 448                         if(time + bantime > ban_expire[i])
 449                         {
 450                                 ban_expire[i] = time + bantime;
 451                                 dprint(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 452                         }
 453                         else
 454                                 dprint(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 455
 456                         // and enforce
 457                         reason = Ban_Enforce(i, reason);
 458
 459                         // and abort
 460                         if(dosync)
 461                                 if(reason != "")
 462                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 463                                                 OnlineBanList_SendBan(ip, bantime, reason);
 464
 465                         return FALSE;
 466                 }
 467
 468         // do we have a free slot?
 469         for(i = 0; i < ban_count; ++i)
 470                 if(time > ban_expire[i])
 471                         break;
 472         // no free slot? Then look for the one who would get unbanned next
 473         if(i >= BAN_MAX)
 474         {
 475                 i = 0;
 476                 bestscore = ban_expire[i];
 477                 for(j = 1; j < ban_count; ++j)
 478                 {
 479                         if(ban_expire[j] < bestscore)
 480                         {
 481                                 i = j;
 482                                 bestscore = ban_expire[i];
 483                         }
 484                 }
 485         }
 486         // if we replace someone, will we be banned longer than him (so long-term
 487         // bans never get overridden by short-term bans)
 488         if(i < ban_count)
 489         if(ban_expire[i] > time + bantime)
 490         {
 491                 print(ip, " could not get banned due to no free ban slot\n");
 492                 return FALSE;
 493         }
 494         // okay, insert our new victim as i
 495         Ban_Delete(i);
 496         dprint(ip, " has been banned for ", ftos(bantime), " seconds\n");
 497         ban_expire[i] = time + bantime;
 498         ban_ip[i] = strzone(ip);
 499         ban_count = max(ban_count, i + 1);
 500
 501         Ban_SaveBans();
 502
 503         reason = Ban_Enforce(i, reason);
 504
 505         // and abort
 506         if(dosync)
 507                 if(reason != "")
 508                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 509                                 OnlineBanList_SendBan(ip, bantime, reason);
 510
 511         return TRUE;
 512 }
 513
 514 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 515 {
 516         if(!Ban_GetClientIP(client))
 517         {
 518                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 519                 dropclient(client);
 520                 return;
 521         }
 522         // now ban him
 523         switch(masksize)
 524         {
 525                 case 1:
 526                         Ban_Insert(ban_ip1, bantime, reason, 1);
 527                         break;
 528                 case 2:
 529                         Ban_Insert(ban_ip2, bantime, reason, 1);
 530                         break;
 531                 case 3:
 532                         Ban_Insert(ban_ip3, bantime, reason, 1);
 533                         break;
 534                 case 4:
 535                 default:
 536                         Ban_Insert(ban_ip4, bantime, reason, 1);
 537                         break;
 538 #ifdef UID
 539                 case 0:
 540                         Ban_Insert(ban_uid, bantime, reason, 1);
 541                         break;
 542 #endif
 543         }
 544         /*
 545          * not needed, as we enforce the ban in Ban_Insert anyway
 546         // and kick him
 547         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 548         dropclient(client);
 549          */
 550 }
 551
 552 float GameCommand_Ban(string command)
 553 {
 554         float argc;
 555         float bantime;
 556         entity client;
 557         float entno;
 558         float masksize;
 559         string reason;
 560         float reasonarg;
 561
 562         argc = tokenize_console(command);
 563         if(argv(0) == "help")
 564         {
 565                 print("  kickban # n m p reason - kickban player n for m seconds, using mask size p (1 to 4)\n");
 566                 print("  ban ip m reason - ban an IP or range (incomplete IP, like 1.2.3) for m seconds\n");
 567                 print("  bans - list all existing bans\n");
 568                 print("  unban n - delete the entry #n from the bans list\n");
 569                 return TRUE;
 570         }
 571         if(argv(0) == "kickban")
 572         {
 573 #define INITARG(c) reasonarg = c
 574 #define GETARG(v,d) if((argc > reasonarg) && ((v = stof(argv(reasonarg))) != 0)) ++reasonarg; else v = d
 575 #define RESTARG(v) if(argc > reasonarg) v = substring(command, argv_start_index(reasonarg), strlen(command) - argv_start_index(reasonarg)); else v = ""
 576                 if(argc >= 3)
 577                 {
 578                         entno = stof(argv(2));
 579                         if(entno > maxclients || entno < 1)
 580                                 return TRUE;
 581                         client = edict_num(entno);
 582
 583                         INITARG(3);
 584                         GETARG(bantime, cvar("g_ban_default_bantime"));
 585                         GETARG(masksize, cvar("g_ban_default_masksize"));
 586                         RESTARG(reason);
 587
 588                         Ban_KickBanClient(client, bantime, masksize, reason);
 589                         return TRUE;
 590                 }
 591         }
 592         else if(argv(0) == "ban")
 593         {
 594                 if(argc >= 2)
 595                 {
 596                         string ip;
 597                         ip = argv(1);
 598
 599                         INITARG(2);
 600                         GETARG(bantime, cvar("g_ban_default_bantime"));
 601                         RESTARG(reason);
 602
 603                         Ban_Insert(ip, bantime, reason, 1);
 604                         return TRUE;
 605                 }
 606 #undef INITARG
 607 #undef GETARG
 608 #undef RESTARG
 609         }
 610         else if(argv(0) == "bans")
 611         {
 612                 Ban_View();
 613                 return TRUE;
 614         }
 615         else if(argv(0) == "unban")
 616         {
 617                 if(argc >= 2)
 618                 {
 619                         float who;
 620                         who = stof(argv(1));
 621                         Ban_Delete(who);
 622                         return TRUE;
 623                 }
 624         }
 625         return FALSE;
 626 }