qcsrc/server/ipban.qc

   1 #include "ipban.qh"
   2 #include "_all.qh"
   3
   4 #include "autocvars.qh"
   5 #include "command/banning.qh"
   6 #include "defs.qh"
   7 #include "../common/constants.qh"
   8 #include "../common/util.qh"
   9 #include "../dpdefs/dpextensions.qh"
  10 #include "../dpdefs/progsdefs.qh"
  11
  12 /*
  13  * Protocol of online ban list:
  14  *
  15  * - Reporting a ban:
  16  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
  17  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
  18  * - Removing a ban:
  19  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
  20  * - Querying the ban list
  21  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  22  *
  23  *     shows the bans from the listed servers, and possibly others.
  24  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  25  *     newline ONLY (no carriage return):
  26  *
  27  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  28  *     time left in seconds
  29  *     reason of the ban
  30  *     server IP that registered the ban
  31  */
  32
  33 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
  34
  35 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  36
  37 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  38 {
  39         string uri;
  40         float i, n;
  41
  42         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
  43         uri = strcat(uri, "&ip=", uri_escape(ip));
  44         uri = strcat(uri, "&duration=", ftos(bantime));
  45         uri = strcat(uri, "&reason=", uri_escape(reason));
  46
  47         n = tokenize_console(autocvar_g_ban_sync_uri);
  48         if(n >= MAX_IPBAN_URIS)
  49                 n = MAX_IPBAN_URIS;
  50         for(i = 0; i < n; ++i)
  51         {
  52                 if(strstrofs(argv(i), "?", 0) >= 0)
  53                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  54                 else
  55                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  56         }
  57 }
  58
  59 void OnlineBanList_SendUnban(string ip)
  60 {
  61         string uri;
  62         float i, n;
  63
  64         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
  65         uri = strcat(uri, "&ip=", uri_escape(ip));
  66
  67         n = tokenize_console(autocvar_g_ban_sync_uri);
  68         if(n >= MAX_IPBAN_URIS)
  69                 n = MAX_IPBAN_URIS;
  70         for(i = 0; i < n; ++i)
  71         {
  72                 if(strstrofs(argv(i), "?", 0) >= 0)
  73                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  74                 else
  75                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  76         }
  77 }
  78
  79 string OnlineBanList_Servers;
  80 float OnlineBanList_Timeout;
  81 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  82
  83 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  84 {
  85         float n, i, j, l;
  86         string ip;
  87         float timeleft;
  88         string reason;
  89         string serverip;
  90         float syncinterval;
  91         string uri;
  92
  93         id -= URI_GET_IPBAN;
  94
  95         if(id >= MAX_IPBAN_URIS)
  96         {
  97                 LOG_INFO("Received ban list for invalid ID\n");
  98                 return;
  99         }
 100
 101         tokenize_console(autocvar_g_ban_sync_uri);
 102         uri = argv(id);
 103
 104         LOG_INFO("Received ban list from ", uri, ": ");
 105
 106         if(OnlineBanList_RequestWaiting[id] == 0)
 107         {
 108                 LOG_INFO("rejected (unexpected)\n");
 109                 return;
 110         }
 111
 112         OnlineBanList_RequestWaiting[id] = 0;
 113
 114         if(time > OnlineBanList_Timeout)
 115         {
 116                 LOG_INFO("rejected (too late)\n");
 117                 return;
 118         }
 119
 120         syncinterval = autocvar_g_ban_sync_interval;
 121         if(syncinterval == 0)
 122         {
 123                 LOG_INFO("rejected (syncing disabled)\n");
 124                 return;
 125         }
 126         if(syncinterval > 0)
 127                 syncinterval *= 60;
 128
 129         if(status != 0)
 130         {
 131                 LOG_INFO("error: status is ", ftos(status), "\n");
 132                 return;
 133         }
 134
 135         if(substring(data, 0, 1) == "<")
 136         {
 137                 LOG_INFO("error: received HTML instead of a ban list\n");
 138                 return;
 139         }
 140
 141         if(strstrofs(data, "\r", 0) != -1)
 142         {
 143                 LOG_INFO("error: received carriage returns\n");
 144                 return;
 145         }
 146
 147         if(data == "")
 148                 n = 0;
 149         else
 150                 n = tokenizebyseparator(data, "\n");
 151
 152         if((n % 4) != 0)
 153         {
 154                 LOG_INFO("error: received invalid item count: ", ftos(n), "\n");
 155                 return;
 156         }
 157
 158         LOG_INFO("OK, ", ftos(n / 4), " items\n");
 159
 160         for(i = 0; i < n; i += 4)
 161         {
 162                 ip = argv(i);
 163                 timeleft = stof(argv(i + 1));
 164                 reason = argv(i + 2);
 165                 serverip = argv(i + 3);
 166
 167                 LOG_TRACE("received ban list item ", ftos(i / 4), ": ip=", ip);
 168                 LOG_TRACE(" timeleft=", ftos(timeleft), " reason=", reason);
 169                 LOG_TRACE(" serverip=", serverip, "\n");
 170
 171                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
 172                 if(timeleft < 0)
 173                         continue;
 174
 175                 l = strlen(ip);
 176                 if(l != 44) // length 44 is a cryptographic ID
 177                 {
 178                         for(j = 0; j < l; ++j)
 179                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 180                                 {
 181                                         LOG_INFO("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 182                                         goto skip;
 183                                 }
 184                 }
 185
 186                 if(autocvar_g_ban_sync_trusted_servers_verify)
 187                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 188                                 continue;
 189
 190                 if(syncinterval > 0)
 191                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 192                         // the ban will be prolonged on the next sync
 193                         // or expire 5 seconds after the next timeout
 194                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 195                 LOG_INFO("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 196                 LOG_INFO(reason, "\n");
 197
 198 :skip
 199         }
 200 }
 201
 202 void OnlineBanList_Think()
 203 {SELFPARAM();
 204         float argc;
 205         string uri;
 206         float i, n;
 207
 208         if(autocvar_g_ban_sync_uri == "")
 209                 goto killme;
 210         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
 211                 goto killme;
 212         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
 213         if(argc == 0)
 214                 goto killme;
 215
 216         if(OnlineBanList_Servers)
 217                 strunzone(OnlineBanList_Servers);
 218         OnlineBanList_Servers = argv(0);
 219         for(i = 1; i < argc; ++i)
 220                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 221         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 222
 223         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
 224         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 225
 226         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
 227
 228         n = tokenize_console(autocvar_g_ban_sync_uri);
 229         if(n >= MAX_IPBAN_URIS)
 230                 n = MAX_IPBAN_URIS;
 231         for(i = 0; i < n; ++i)
 232         {
 233                 if(OnlineBanList_RequestWaiting[i])
 234                         continue;
 235                 OnlineBanList_RequestWaiting[i] = 1;
 236                 if(strstrofs(argv(i), "?", 0) >= 0)
 237                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 238                 else
 239                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 240         }
 241
 242         if(autocvar_g_ban_sync_interval > 0)
 243                 self.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
 244         else
 245                 goto killme;
 246         return;
 247
 248 :killme
 249         remove(self);
 250 }
 251
 252 const float BAN_MAX = 256;
 253 float ban_loaded;
 254 string ban_ip[BAN_MAX];
 255 float ban_expire[BAN_MAX];
 256 float ban_count;
 257
 258 string ban_ip1;
 259 string ban_ip2;
 260 string ban_ip3;
 261 string ban_ip4;
 262 string ban_idfp;
 263
 264 void Ban_SaveBans()
 265 {
 266         string out;
 267         float i;
 268
 269         if(!ban_loaded)
 270                 return;
 271
 272         // version of list
 273         out = "1";
 274         for(i = 0; i < ban_count; ++i)
 275         {
 276                 if(time > ban_expire[i])
 277                         continue;
 278                 out = strcat(out, " ", ban_ip[i]);
 279                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 280         }
 281         if(strlen(out) <= 1) // no real entries
 282                 cvar_set("g_banned_list", "");
 283         else
 284                 cvar_set("g_banned_list", out);
 285 }
 286
 287 float Ban_Delete(float i)
 288 {
 289         if(i < 0)
 290                 return false;
 291         if(i >= ban_count)
 292                 return false;
 293         if(ban_expire[i] == 0)
 294                 return false;
 295         if(ban_expire[i] > 0)
 296         {
 297                 OnlineBanList_SendUnban(ban_ip[i]);
 298                 strunzone(ban_ip[i]);
 299         }
 300         ban_expire[i] = 0;
 301         ban_ip[i] = "";
 302         Ban_SaveBans();
 303         return true;
 304 }
 305
 306 void Ban_LoadBans()
 307 {
 308         float i, n;
 309         for(i = 0; i < ban_count; ++i)
 310                 Ban_Delete(i);
 311         ban_count = 0;
 312         ban_loaded = true;
 313         n = tokenize_console(autocvar_g_banned_list);
 314         if(stof(argv(0)) == 1)
 315         {
 316                 ban_count = (n - 1) / 2;
 317                 for(i = 0; i < ban_count; ++i)
 318                 {
 319                         ban_ip[i] = strzone(argv(2*i+1));
 320                         ban_expire[i] = time + stof(argv(2*i+2));
 321                 }
 322         }
 323
 324         entity e;
 325         e = spawn();
 326         e.classname = "bansyncer";
 327         e.think = OnlineBanList_Think;
 328         e.nextthink = time + 1;
 329 }
 330
 331 void Ban_View()
 332 {
 333         float i, n;
 334         string msg;
 335
 336         LOG_INFO("^2Listing all existing active bans:\n");
 337
 338         n = 0;
 339         for(i = 0; i < ban_count; ++i)
 340         {
 341                 if(time > ban_expire[i])
 342                         continue;
 343
 344                 ++n; // total number of existing bans
 345
 346                 msg = strcat("#", ftos(i), ": ");
 347                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 348                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 349
 350                 LOG_INFO("  ", msg, "\n");
 351         }
 352
 353         LOG_INFO("^2Done listing all active (", ftos(n), ") bans.\n");
 354 }
 355
 356 float Ban_GetClientIP(entity client)
 357 {
 358         // we can't use tokenizing here, as this is called during ban list parsing
 359         float i1, i2, i3, i4;
 360         string s;
 361
 362         if(client.crypto_idfp_signed)
 363                 ban_idfp = client.crypto_idfp;
 364         else
 365                 ban_idfp = string_null;
 366
 367         s = client.netaddress;
 368
 369         i1 = strstrofs(s, ".", 0);
 370         if(i1 < 0)
 371                 goto ipv6;
 372         i2 = strstrofs(s, ".", i1 + 1);
 373         if(i2 < 0)
 374                 return false;
 375         i3 = strstrofs(s, ".", i2 + 1);
 376         if(i3 < 0)
 377                 return false;
 378         i4 = strstrofs(s, ".", i3 + 1);
 379         if(i4 >= 0)
 380                 s = substring(s, 0, i4);
 381
 382         ban_ip1 = substring(s, 0, i1); // 8
 383         ban_ip2 = substring(s, 0, i2); // 16
 384         ban_ip3 = substring(s, 0, i3); // 24
 385         ban_ip4 = strcat1(s); // 32
 386         return true;
 387
 388 :ipv6
 389         i1 = strstrofs(s, ":", 0);
 390         if(i1 < 0)
 391                 return false;
 392         i1 = strstrofs(s, ":", i1 + 1);
 393         if(i1 < 0)
 394                 return false;
 395         i2 = strstrofs(s, ":", i1 + 1);
 396         if(i2 < 0)
 397                 return false;
 398         i3 = strstrofs(s, ":", i2 + 1);
 399         if(i3 < 0)
 400                 return false;
 401
 402         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 403         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 404         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 405
 406         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 407                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 408         else
 409                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 410
 411         return true;
 412 }
 413
 414 float Ban_IsClientBanned(entity client, float idx)
 415 {
 416         float i, b, e, ipbanned;
 417         if(!ban_loaded)
 418                 Ban_LoadBans();
 419         if(!Ban_GetClientIP(client))
 420                 return false;
 421         if(idx < 0)
 422         {
 423                 b = 0;
 424                 e = ban_count;
 425         }
 426         else
 427         {
 428                 b = idx;
 429                 e = idx + 1;
 430         }
 431         ipbanned = false;
 432         for(i = b; i < e; ++i)
 433         {
 434                 string s;
 435                 if(time > ban_expire[i])
 436                         continue;
 437                 s = ban_ip[i];
 438                 if(ban_ip1 == s) ipbanned = true;
 439                 if(ban_ip2 == s) ipbanned = true;
 440                 if(ban_ip3 == s) ipbanned = true;
 441                 if(ban_ip4 == s) ipbanned = true;
 442                 if(ban_idfp == s) return true;
 443         }
 444         if(ipbanned)
 445         {
 446                 if(!autocvar_g_banned_list_idmode)
 447                         return true;
 448                 if (!ban_idfp)
 449                         return true;
 450         }
 451         return false;
 452 }
 453
 454 float Ban_MaybeEnforceBan(entity client)
 455 {
 456         if(Ban_IsClientBanned(client, -1))
 457         {
 458                 string s;
 459                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
 460                 dropclient(client);
 461                 bprint(s);
 462                 return true;
 463         }
 464         return false;
 465 }
 466
 467 .float ban_checked;
 468 float Ban_MaybeEnforceBanOnce(entity client)
 469 {
 470         if(client.ban_checked)
 471                 return false;
 472         client.ban_checked = true;
 473         return Ban_MaybeEnforceBan(client);
 474 }
 475
 476 string Ban_Enforce(float i, string reason)
 477 {
 478         string s;
 479         entity e;
 480
 481         // Enforce our new ban
 482         s = "";
 483         FOR_EACH_CLIENTSLOT(e)
 484                 if (IS_REAL_CLIENT(e))
 485                 if(Ban_IsClientBanned(e, i))
 486                 {
 487                         if(reason != "")
 488                         {
 489                                 if(s == "")
 490                                         reason = strcat(reason, ": affects ");
 491                                 else
 492                                         reason = strcat(reason, ", ");
 493                                 reason = strcat(reason, e.netname);
 494                         }
 495                         s = strcat(s, "^1NOTE:^7 banned client ", e.netaddress, "^7 has to go\n");
 496                         dropclient(e);
 497                 }
 498         bprint(s);
 499
 500         return reason;
 501 }
 502
 503 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 504 {
 505         float i;
 506         float j;
 507         float bestscore;
 508
 509         // already banned?
 510         for(i = 0; i < ban_count; ++i)
 511                 if(ban_ip[i] == ip)
 512                 {
 513                         // prolong the ban
 514                         if(time + bantime > ban_expire[i])
 515                         {
 516                                 ban_expire[i] = time + bantime;
 517                                 LOG_TRACE(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 518                         }
 519                         else
 520                                 LOG_TRACE(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 521
 522                         // and enforce
 523                         reason = Ban_Enforce(i, reason);
 524
 525                         // and abort
 526                         if(dosync)
 527                                 if(reason != "")
 528                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 529                                                 OnlineBanList_SendBan(ip, bantime, reason);
 530
 531                         return false;
 532                 }
 533
 534         // do we have a free slot?
 535         for(i = 0; i < ban_count; ++i)
 536                 if(time > ban_expire[i])
 537                         break;
 538         // no free slot? Then look for the one who would get unbanned next
 539         if(i >= BAN_MAX)
 540         {
 541                 i = 0;
 542                 bestscore = ban_expire[i];
 543                 for(j = 1; j < ban_count; ++j)
 544                 {
 545                         if(ban_expire[j] < bestscore)
 546                         {
 547                                 i = j;
 548                                 bestscore = ban_expire[i];
 549                         }
 550                 }
 551         }
 552         // if we replace someone, will we be banned longer than him (so long-term
 553         // bans never get overridden by short-term bans)
 554         if(i < ban_count)
 555         if(ban_expire[i] > time + bantime)
 556         {
 557                 LOG_INFO(ip, " could not get banned due to no free ban slot\n");
 558                 return false;
 559         }
 560         // okay, insert our new victim as i
 561         Ban_Delete(i);
 562         LOG_TRACE(ip, " has been banned for ", ftos(bantime), " seconds\n");
 563         ban_expire[i] = time + bantime;
 564         ban_ip[i] = strzone(ip);
 565         ban_count = max(ban_count, i + 1);
 566
 567         Ban_SaveBans();
 568
 569         reason = Ban_Enforce(i, reason);
 570
 571         // and abort
 572         if(dosync)
 573                 if(reason != "")
 574                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 575                                 OnlineBanList_SendBan(ip, bantime, reason);
 576
 577         return true;
 578 }
 579
 580 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 581 {
 582         string ip, id;
 583         if(!Ban_GetClientIP(client))
 584         {
 585                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 586                 dropclient(client);
 587                 return;
 588         }
 589
 590         // who to ban?
 591         switch(masksize)
 592         {
 593                 case 1:
 594                         ip = strcat1(ban_ip1);
 595                         break;
 596                 case 2:
 597                         ip = strcat1(ban_ip2);
 598                         break;
 599                 case 3:
 600                         ip = strcat1(ban_ip3);
 601                         break;
 602                 case 4:
 603                 default:
 604                         ip = strcat1(ban_ip4);
 605                         break;
 606         }
 607         if(ban_idfp)
 608                 id = strcat1(ban_idfp);
 609         else
 610                 id = string_null;
 611
 612         Ban_Insert(ip, bantime, reason, 1);
 613         if(id)
 614                 Ban_Insert(id, bantime, reason, 1);
 615         /*
 616          * not needed, as we enforce the ban in Ban_Insert anyway
 617         // and kick him
 618         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 619         dropclient(client);
 620          */
 621 }