qcsrc/server/ipban.qc

   1 #include "ipban.qh"
   2 #include "_all.qh"
   3
   4 #include "autocvars.qh"
   5 #include "command/banning.qh"
   6 #include "defs.qh"
   7 #include "../common/constants.qh"
   8 #include "../common/util.qh"
   9
  10 /*
  11  * Protocol of online ban list:
  12  *
  13  * - Reporting a ban:
  14  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
  15  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
  16  * - Removing a ban:
  17  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
  18  * - Querying the ban list
  19  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  20  *
  21  *     shows the bans from the listed servers, and possibly others.
  22  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  23  *     newline ONLY (no carriage return):
  24  *
  25  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  26  *     time left in seconds
  27  *     reason of the ban
  28  *     server IP that registered the ban
  29  */
  30
  31 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
  32
  33 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  34
  35 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  36 {
  37         string uri;
  38         float i, n;
  39
  40         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
  41         uri = strcat(uri, "&ip=", uri_escape(ip));
  42         uri = strcat(uri, "&duration=", ftos(bantime));
  43         uri = strcat(uri, "&reason=", uri_escape(reason));
  44
  45         n = tokenize_console(autocvar_g_ban_sync_uri);
  46         if(n >= MAX_IPBAN_URIS)
  47                 n = MAX_IPBAN_URIS;
  48         for(i = 0; i < n; ++i)
  49         {
  50                 if(strstrofs(argv(i), "?", 0) >= 0)
  51                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  52                 else
  53                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  54         }
  55 }
  56
  57 void OnlineBanList_SendUnban(string ip)
  58 {
  59         string uri;
  60         float i, n;
  61
  62         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
  63         uri = strcat(uri, "&ip=", uri_escape(ip));
  64
  65         n = tokenize_console(autocvar_g_ban_sync_uri);
  66         if(n >= MAX_IPBAN_URIS)
  67                 n = MAX_IPBAN_URIS;
  68         for(i = 0; i < n; ++i)
  69         {
  70                 if(strstrofs(argv(i), "?", 0) >= 0)
  71                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  72                 else
  73                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  74         }
  75 }
  76
  77 string OnlineBanList_Servers;
  78 float OnlineBanList_Timeout;
  79 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  80
  81 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  82 {
  83         float n, i, j, l;
  84         string ip;
  85         float timeleft;
  86         string reason;
  87         string serverip;
  88         float syncinterval;
  89         string uri;
  90
  91         id -= URI_GET_IPBAN;
  92
  93         if(id >= MAX_IPBAN_URIS)
  94         {
  95                 LOG_INFO("Received ban list for invalid ID\n");
  96                 return;
  97         }
  98
  99         tokenize_console(autocvar_g_ban_sync_uri);
 100         uri = argv(id);
 101
 102         LOG_INFO("Received ban list from ", uri, ": ");
 103
 104         if(OnlineBanList_RequestWaiting[id] == 0)
 105         {
 106                 LOG_INFO("rejected (unexpected)\n");
 107                 return;
 108         }
 109
 110         OnlineBanList_RequestWaiting[id] = 0;
 111
 112         if(time > OnlineBanList_Timeout)
 113         {
 114                 LOG_INFO("rejected (too late)\n");
 115                 return;
 116         }
 117
 118         syncinterval = autocvar_g_ban_sync_interval;
 119         if(syncinterval == 0)
 120         {
 121                 LOG_INFO("rejected (syncing disabled)\n");
 122                 return;
 123         }
 124         if(syncinterval > 0)
 125                 syncinterval *= 60;
 126
 127         if(status != 0)
 128         {
 129                 LOG_INFO("error: status is ", ftos(status), "\n");
 130                 return;
 131         }
 132
 133         if(substring(data, 0, 1) == "<")
 134         {
 135                 LOG_INFO("error: received HTML instead of a ban list\n");
 136                 return;
 137         }
 138
 139         if(strstrofs(data, "\r", 0) != -1)
 140         {
 141                 LOG_INFO("error: received carriage returns\n");
 142                 return;
 143         }
 144
 145         if(data == "")
 146                 n = 0;
 147         else
 148                 n = tokenizebyseparator(data, "\n");
 149
 150         if((n % 4) != 0)
 151         {
 152                 LOG_INFO("error: received invalid item count: ", ftos(n), "\n");
 153                 return;
 154         }
 155
 156         LOG_INFO("OK, ", ftos(n / 4), " items\n");
 157
 158         for(i = 0; i < n; i += 4)
 159         {
 160                 ip = argv(i);
 161                 timeleft = stof(argv(i + 1));
 162                 reason = argv(i + 2);
 163                 serverip = argv(i + 3);
 164
 165                 LOG_TRACE("received ban list item ", ftos(i / 4), ": ip=", ip);
 166                 LOG_TRACE(" timeleft=", ftos(timeleft), " reason=", reason);
 167                 LOG_TRACE(" serverip=", serverip, "\n");
 168
 169                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
 170                 if(timeleft < 0)
 171                         continue;
 172
 173                 l = strlen(ip);
 174                 if(l != 44) // length 44 is a cryptographic ID
 175                 {
 176                         for(j = 0; j < l; ++j)
 177                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 178                                 {
 179                                         LOG_INFO("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 180                                         goto skip;
 181                                 }
 182                 }
 183
 184                 if(autocvar_g_ban_sync_trusted_servers_verify)
 185                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 186                                 continue;
 187
 188                 if(syncinterval > 0)
 189                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 190                         // the ban will be prolonged on the next sync
 191                         // or expire 5 seconds after the next timeout
 192                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 193                 LOG_INFO("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 194                 LOG_INFO(reason, "\n");
 195
 196 :skip
 197         }
 198 }
 199
 200 void OnlineBanList_Think()
 201 {SELFPARAM();
 202         float argc;
 203         string uri;
 204         float i, n;
 205
 206         if(autocvar_g_ban_sync_uri == "")
 207                 goto killme;
 208         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
 209                 goto killme;
 210         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
 211         if(argc == 0)
 212                 goto killme;
 213
 214         if(OnlineBanList_Servers)
 215                 strunzone(OnlineBanList_Servers);
 216         OnlineBanList_Servers = argv(0);
 217         for(i = 1; i < argc; ++i)
 218                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 219         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 220
 221         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
 222         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 223
 224         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
 225
 226         n = tokenize_console(autocvar_g_ban_sync_uri);
 227         if(n >= MAX_IPBAN_URIS)
 228                 n = MAX_IPBAN_URIS;
 229         for(i = 0; i < n; ++i)
 230         {
 231                 if(OnlineBanList_RequestWaiting[i])
 232                         continue;
 233                 OnlineBanList_RequestWaiting[i] = 1;
 234                 if(strstrofs(argv(i), "?", 0) >= 0)
 235                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 236                 else
 237                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 238         }
 239
 240         if(autocvar_g_ban_sync_interval > 0)
 241                 self.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
 242         else
 243                 goto killme;
 244         return;
 245
 246 :killme
 247         remove(self);
 248 }
 249
 250 const float BAN_MAX = 256;
 251 float ban_loaded;
 252 string ban_ip[BAN_MAX];
 253 float ban_expire[BAN_MAX];
 254 float ban_count;
 255
 256 string ban_ip1;
 257 string ban_ip2;
 258 string ban_ip3;
 259 string ban_ip4;
 260 string ban_idfp;
 261
 262 void Ban_SaveBans()
 263 {
 264         string out;
 265         float i;
 266
 267         if(!ban_loaded)
 268                 return;
 269
 270         // version of list
 271         out = "1";
 272         for(i = 0; i < ban_count; ++i)
 273         {
 274                 if(time > ban_expire[i])
 275                         continue;
 276                 out = strcat(out, " ", ban_ip[i]);
 277                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 278         }
 279         if(strlen(out) <= 1) // no real entries
 280                 cvar_set("g_banned_list", "");
 281         else
 282                 cvar_set("g_banned_list", out);
 283 }
 284
 285 float Ban_Delete(float i)
 286 {
 287         if(i < 0)
 288                 return false;
 289         if(i >= ban_count)
 290                 return false;
 291         if(ban_expire[i] == 0)
 292                 return false;
 293         if(ban_expire[i] > 0)
 294         {
 295                 OnlineBanList_SendUnban(ban_ip[i]);
 296                 strunzone(ban_ip[i]);
 297         }
 298         ban_expire[i] = 0;
 299         ban_ip[i] = "";
 300         Ban_SaveBans();
 301         return true;
 302 }
 303
 304 void Ban_LoadBans()
 305 {
 306         float i, n;
 307         for(i = 0; i < ban_count; ++i)
 308                 Ban_Delete(i);
 309         ban_count = 0;
 310         ban_loaded = true;
 311         n = tokenize_console(autocvar_g_banned_list);
 312         if(stof(argv(0)) == 1)
 313         {
 314                 ban_count = (n - 1) / 2;
 315                 for(i = 0; i < ban_count; ++i)
 316                 {
 317                         ban_ip[i] = strzone(argv(2*i+1));
 318                         ban_expire[i] = time + stof(argv(2*i+2));
 319                 }
 320         }
 321
 322         entity e;
 323         e = spawn();
 324         e.classname = "bansyncer";
 325         e.think = OnlineBanList_Think;
 326         e.nextthink = time + 1;
 327 }
 328
 329 void Ban_View()
 330 {
 331         float i, n;
 332         string msg;
 333
 334         LOG_INFO("^2Listing all existing active bans:\n");
 335
 336         n = 0;
 337         for(i = 0; i < ban_count; ++i)
 338         {
 339                 if(time > ban_expire[i])
 340                         continue;
 341
 342                 ++n; // total number of existing bans
 343
 344                 msg = strcat("#", ftos(i), ": ");
 345                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 346                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 347
 348                 LOG_INFO("  ", msg, "\n");
 349         }
 350
 351         LOG_INFO("^2Done listing all active (", ftos(n), ") bans.\n");
 352 }
 353
 354 float Ban_GetClientIP(entity client)
 355 {
 356         // we can't use tokenizing here, as this is called during ban list parsing
 357         float i1, i2, i3, i4;
 358         string s;
 359
 360         if(client.crypto_idfp_signed)
 361                 ban_idfp = client.crypto_idfp;
 362         else
 363                 ban_idfp = string_null;
 364
 365         s = client.netaddress;
 366
 367         i1 = strstrofs(s, ".", 0);
 368         if(i1 < 0)
 369                 goto ipv6;
 370         i2 = strstrofs(s, ".", i1 + 1);
 371         if(i2 < 0)
 372                 return false;
 373         i3 = strstrofs(s, ".", i2 + 1);
 374         if(i3 < 0)
 375                 return false;
 376         i4 = strstrofs(s, ".", i3 + 1);
 377         if(i4 >= 0)
 378                 s = substring(s, 0, i4);
 379
 380         ban_ip1 = substring(s, 0, i1); // 8
 381         ban_ip2 = substring(s, 0, i2); // 16
 382         ban_ip3 = substring(s, 0, i3); // 24
 383         ban_ip4 = strcat1(s); // 32
 384         return true;
 385
 386 :ipv6
 387         i1 = strstrofs(s, ":", 0);
 388         if(i1 < 0)
 389                 return false;
 390         i1 = strstrofs(s, ":", i1 + 1);
 391         if(i1 < 0)
 392                 return false;
 393         i2 = strstrofs(s, ":", i1 + 1);
 394         if(i2 < 0)
 395                 return false;
 396         i3 = strstrofs(s, ":", i2 + 1);
 397         if(i3 < 0)
 398                 return false;
 399
 400         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 401         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 402         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 403
 404         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 405                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 406         else
 407                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 408
 409         return true;
 410 }
 411
 412 float Ban_IsClientBanned(entity client, float idx)
 413 {
 414         float i, b, e, ipbanned;
 415         if(!ban_loaded)
 416                 Ban_LoadBans();
 417         if(!Ban_GetClientIP(client))
 418                 return false;
 419         if(idx < 0)
 420         {
 421                 b = 0;
 422                 e = ban_count;
 423         }
 424         else
 425         {
 426                 b = idx;
 427                 e = idx + 1;
 428         }
 429         ipbanned = false;
 430         for(i = b; i < e; ++i)
 431         {
 432                 string s;
 433                 if(time > ban_expire[i])
 434                         continue;
 435                 s = ban_ip[i];
 436                 if(ban_ip1 == s) ipbanned = true;
 437                 if(ban_ip2 == s) ipbanned = true;
 438                 if(ban_ip3 == s) ipbanned = true;
 439                 if(ban_ip4 == s) ipbanned = true;
 440                 if(ban_idfp == s) return true;
 441         }
 442         if(ipbanned)
 443         {
 444                 if(!autocvar_g_banned_list_idmode)
 445                         return true;
 446                 if (!ban_idfp)
 447                         return true;
 448         }
 449         return false;
 450 }
 451
 452 float Ban_MaybeEnforceBan(entity client)
 453 {
 454         if(Ban_IsClientBanned(client, -1))
 455         {
 456                 string s;
 457                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
 458                 dropclient(client);
 459                 bprint(s);
 460                 return true;
 461         }
 462         return false;
 463 }
 464
 465 .float ban_checked;
 466 float Ban_MaybeEnforceBanOnce(entity client)
 467 {
 468         if(client.ban_checked)
 469                 return false;
 470         client.ban_checked = true;
 471         return Ban_MaybeEnforceBan(client);
 472 }
 473
 474 string Ban_Enforce(float i, string reason)
 475 {
 476         string s;
 477         entity e;
 478
 479         // Enforce our new ban
 480         s = "";
 481         FOR_EACH_CLIENTSLOT(e)
 482                 if (IS_REAL_CLIENT(e))
 483                 if(Ban_IsClientBanned(e, i))
 484                 {
 485                         if(reason != "")
 486                         {
 487                                 if(s == "")
 488                                         reason = strcat(reason, ": affects ");
 489                                 else
 490                                         reason = strcat(reason, ", ");
 491                                 reason = strcat(reason, e.netname);
 492                         }
 493                         s = strcat(s, "^1NOTE:^7 banned client ", e.netaddress, "^7 has to go\n");
 494                         dropclient(e);
 495                 }
 496         bprint(s);
 497
 498         return reason;
 499 }
 500
 501 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 502 {
 503         float i;
 504         float j;
 505         float bestscore;
 506
 507         // already banned?
 508         for(i = 0; i < ban_count; ++i)
 509                 if(ban_ip[i] == ip)
 510                 {
 511                         // prolong the ban
 512                         if(time + bantime > ban_expire[i])
 513                         {
 514                                 ban_expire[i] = time + bantime;
 515                                 LOG_TRACE(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 516                         }
 517                         else
 518                                 LOG_TRACE(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 519
 520                         // and enforce
 521                         reason = Ban_Enforce(i, reason);
 522
 523                         // and abort
 524                         if(dosync)
 525                                 if(reason != "")
 526                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 527                                                 OnlineBanList_SendBan(ip, bantime, reason);
 528
 529                         return false;
 530                 }
 531
 532         // do we have a free slot?
 533         for(i = 0; i < ban_count; ++i)
 534                 if(time > ban_expire[i])
 535                         break;
 536         // no free slot? Then look for the one who would get unbanned next
 537         if(i >= BAN_MAX)
 538         {
 539                 i = 0;
 540                 bestscore = ban_expire[i];
 541                 for(j = 1; j < ban_count; ++j)
 542                 {
 543                         if(ban_expire[j] < bestscore)
 544                         {
 545                                 i = j;
 546                                 bestscore = ban_expire[i];
 547                         }
 548                 }
 549         }
 550         // if we replace someone, will we be banned longer than him (so long-term
 551         // bans never get overridden by short-term bans)
 552         if(i < ban_count)
 553         if(ban_expire[i] > time + bantime)
 554         {
 555                 LOG_INFO(ip, " could not get banned due to no free ban slot\n");
 556                 return false;
 557         }
 558         // okay, insert our new victim as i
 559         Ban_Delete(i);
 560         LOG_TRACE(ip, " has been banned for ", ftos(bantime), " seconds\n");
 561         ban_expire[i] = time + bantime;
 562         ban_ip[i] = strzone(ip);
 563         ban_count = max(ban_count, i + 1);
 564
 565         Ban_SaveBans();
 566
 567         reason = Ban_Enforce(i, reason);
 568
 569         // and abort
 570         if(dosync)
 571                 if(reason != "")
 572                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 573                                 OnlineBanList_SendBan(ip, bantime, reason);
 574
 575         return true;
 576 }
 577
 578 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 579 {
 580         string ip, id;
 581         if(!Ban_GetClientIP(client))
 582         {
 583                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 584                 dropclient(client);
 585                 return;
 586         }
 587
 588         // who to ban?
 589         switch(masksize)
 590         {
 591                 case 1:
 592                         ip = strcat1(ban_ip1);
 593                         break;
 594                 case 2:
 595                         ip = strcat1(ban_ip2);
 596                         break;
 597                 case 3:
 598                         ip = strcat1(ban_ip3);
 599                         break;
 600                 case 4:
 601                 default:
 602                         ip = strcat1(ban_ip4);
 603                         break;
 604         }
 605         if(ban_idfp)
 606                 id = strcat1(ban_idfp);
 607         else
 608                 id = string_null;
 609
 610         Ban_Insert(ip, bantime, reason, 1);
 611         if(id)
 612                 Ban_Insert(id, bantime, reason, 1);
 613         /*
 614          * not needed, as we enforce the ban in Ban_Insert anyway
 615         // and kick him
 616         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 617         dropclient(client);
 618          */
 619 }