qcsrc/server/ipban.qc

   1 /*
   2  * Protocol of online ban list:
   3  *
   4  * - Reporting a ban:
   5  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
   6  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
   7  * - Removing a ban:
   8  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
   9  * - Querying the ban list
  10  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  11  *
  12  *     shows the bans from the listed servers, and possibly others.
  13  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  14  *     newline ONLY (no carriage return):
  15  *
  16  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  17  *     time left in seconds
  18  *     reason of the ban
  19  *     server IP that registered the ban
  20  */
  21
  22 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  23
  24 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  25 {
  26         string uri;
  27         float i, n;
  28
  29         uri = strcat(     "action=ban&hostname=", uri_escape(cvar_string("hostname")));
  30         uri = strcat(uri, "&ip=", uri_escape(ip));
  31         uri = strcat(uri, "&duration=", ftos(bantime));
  32         uri = strcat(uri, "&reason=", uri_escape(reason));
  33
  34         n = tokenize_console(cvar_string("g_ban_sync_uri"));
  35         if(n >= MAX_IPBAN_URIS)
  36                 n = MAX_IPBAN_URIS;
  37         for(i = 0; i < n; ++i)
  38         {
  39                 if(strstrofs(argv(i), "?", 0) >= 0)
  40                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  41                 else
  42                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  43         }
  44 }
  45
  46 void OnlineBanList_SendUnban(string ip)
  47 {
  48         string uri;
  49         float i, n;
  50
  51         uri = strcat(     "action=unban&hostname=", uri_escape(cvar_string("hostname")));
  52         uri = strcat(uri, "&ip=", uri_escape(ip));
  53
  54         n = tokenize_console(cvar_string("g_ban_sync_uri"));
  55         if(n >= MAX_IPBAN_URIS)
  56                 n = MAX_IPBAN_URIS;
  57         for(i = 0; i < n; ++i)
  58         {
  59                 if(strstrofs(argv(i), "?", 0) >= 0)
  60                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  61                 else
  62                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  63         }
  64 }
  65
  66 string OnlineBanList_Servers;
  67 float OnlineBanList_Timeout;
  68 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  69
  70 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  71 {
  72         float n, i, j, l;
  73         string ip;
  74         float timeleft;
  75         string reason;
  76         string serverip;
  77         float syncinterval;
  78         string uri;
  79
  80         id -= URI_GET_IPBAN;
  81
  82         if(id >= MAX_IPBAN_URIS)
  83         {
  84                 print("Received ban list for invalid ID\n");
  85                 return;
  86         }
  87
  88         tokenize_console(cvar_string("g_ban_sync_uri"));
  89         uri = argv(id);
  90
  91         print("Received ban list from ", uri, ": ");
  92
  93         if(OnlineBanList_RequestWaiting[id] == 0)
  94         {
  95                 print("rejected (unexpected)\n");
  96                 return;
  97         }
  98
  99         OnlineBanList_RequestWaiting[id] = 0;
 100
 101         if(time > OnlineBanList_Timeout)
 102         {
 103                 print("rejected (too late)\n");
 104                 return;
 105         }
 106
 107         syncinterval = cvar("g_ban_sync_interval");
 108         if(syncinterval == 0)
 109         {
 110                 print("rejected (syncing disabled)\n");
 111                 return;
 112         }
 113         if(syncinterval > 0)
 114                 syncinterval *= 60;
 115
 116         if(status != 0)
 117         {
 118                 print("error: status is ", ftos(status), "\n");
 119                 return;
 120         }
 121
 122         if(substring(data, 0, 1) == "<")
 123         {
 124                 print("error: received HTML instead of a ban list\n");
 125                 return;
 126         }
 127
 128         if(strstrofs(data, "\r", 0) != -1)
 129         {
 130                 print("error: received carriage returns\n");
 131                 return;
 132         }
 133
 134         if(data == "")
 135                 n = 0;
 136         else
 137                 n = tokenizebyseparator(data, "\n");
 138
 139         if(mod(n, 4) != 0)
 140         {
 141                 print("error: received invalid item count: ", ftos(n), "\n");
 142                 return;
 143         }
 144
 145         print("OK, ", ftos(n / 4), " items\n");
 146
 147         for(i = 0; i < n; i += 4)
 148         {
 149                 ip = argv(i);
 150                 timeleft = stof(argv(i + 1));
 151                 reason = argv(i + 2);
 152                 serverip = argv(i + 3);
 153
 154                 dprint("received ban list item ", ftos(i / 4), ": ip=", ip);
 155                 dprint(" timeleft=", ftos(timeleft), " reason=", reason);
 156                 dprint(" serverip=", serverip, "\n");
 157
 158                 timeleft -= 1.5 * cvar("g_ban_sync_timeout");
 159                 if(timeleft < 0)
 160                         continue;
 161
 162                 l = strlen(ip);
 163                 for(j = 0; j < l; ++j)
 164                         if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 165                         {
 166                                 print("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 167                                 goto skip;
 168                         }
 169
 170                 if(cvar("g_ban_sync_trusted_servers_verify"))
 171                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 172                                 continue;
 173
 174                 if(syncinterval > 0)
 175                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 176                         // the ban will be prolonged on the next sync
 177                         // or expire 5 seconds after the next timeout
 178                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 179                 print("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 180                 print(reason, "\n");
 181
 182 :skip
 183         }
 184 }
 185
 186 void OnlineBanList_Think()
 187 {
 188         float argc;
 189         string uri;
 190         float i, n;
 191
 192         if(cvar_string("g_ban_sync_uri") == "")
 193                 goto killme;
 194         if(cvar("g_ban_sync_interval") == 0) // < 0 is okay, it means "sync on level start only"
 195                 goto killme;
 196         argc = tokenize_console(cvar_string("g_ban_sync_trusted_servers"));
 197         if(argc == 0)
 198                 goto killme;
 199
 200         if(OnlineBanList_Servers)
 201                 strunzone(OnlineBanList_Servers);
 202         OnlineBanList_Servers = argv(0);
 203         for(i = 1; i < argc; ++i)
 204                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 205         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 206
 207         uri = strcat(     "action=list&hostname=", uri_escape(cvar_string("hostname")));
 208         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 209
 210         OnlineBanList_Timeout = time + cvar("g_ban_sync_timeout");
 211
 212         n = tokenize_console(cvar_string("g_ban_sync_uri"));
 213         if(n >= MAX_IPBAN_URIS)
 214                 n = MAX_IPBAN_URIS;
 215         for(i = 0; i < n; ++i)
 216         {
 217                 if(OnlineBanList_RequestWaiting[i])
 218                         continue;
 219                 OnlineBanList_RequestWaiting[i] = 1;
 220                 if(strstrofs(argv(i), "?", 0) >= 0)
 221                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 222                 else
 223                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 224         }
 225
 226         if(cvar("g_ban_sync_interval") > 0)
 227                 self.nextthink = time + max(60, cvar("g_ban_sync_interval") * 60);
 228         else
 229                 goto killme;
 230         return;
 231
 232 :killme
 233         remove(self);
 234 }
 235
 236 #define BAN_MAX 256
 237 float ban_loaded;
 238 string ban_ip[BAN_MAX];
 239 float ban_expire[BAN_MAX];
 240 float ban_count;
 241
 242 string ban_ip1;
 243 string ban_ip2;
 244 string ban_ip3;
 245 string ban_ip4;
 246 #ifdef UID
 247 string ban_uid;
 248 #endif
 249
 250 void Ban_SaveBans()
 251 {
 252         string out;
 253         float i;
 254
 255         if(!ban_loaded)
 256                 return;
 257
 258         // version of list
 259         out = "1";
 260         for(i = 0; i < ban_count; ++i)
 261         {
 262                 if(time > ban_expire[i])
 263                         continue;
 264                 out = strcat(out, " ", ban_ip[i]);
 265                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 266         }
 267         if(strlen(out) <= 1) // no real entries
 268                 cvar_set("g_banned_list", "");
 269         else
 270                 cvar_set("g_banned_list", out);
 271 }
 272
 273 float Ban_Delete(float i)
 274 {
 275         if(i < 0)
 276                 return FALSE;
 277         if(i >= ban_count)
 278                 return FALSE;
 279         if(ban_expire[i] == 0)
 280                 return FALSE;
 281         if(ban_expire[i] > 0)
 282         {
 283                 OnlineBanList_SendUnban(ban_ip[i]);
 284                 strunzone(ban_ip[i]);
 285         }
 286         ban_expire[i] = 0;
 287         ban_ip[i] = "";
 288         Ban_SaveBans();
 289         return TRUE;
 290 }
 291
 292 void Ban_LoadBans()
 293 {
 294         float i, n;
 295         for(i = 0; i < ban_count; ++i)
 296                 Ban_Delete(i);
 297         ban_count = 0;
 298         ban_loaded = TRUE;
 299         n = tokenize_console(cvar_string("g_banned_list"));
 300         if(stof(argv(0)) == 1)
 301         {
 302                 ban_count = (n - 1) / 2;
 303                 for(i = 0; i < ban_count; ++i)
 304                 {
 305                         ban_ip[i] = strzone(argv(2*i+1));
 306                         ban_expire[i] = time + stof(argv(2*i+2));
 307                 }
 308         }
 309
 310         entity e;
 311         e = spawn();
 312         e.classname = "bansyncer";
 313         e.think = OnlineBanList_Think;
 314         e.nextthink = time + 1;
 315 }
 316
 317 void Ban_View()
 318 {
 319         float i;
 320         string msg;
 321         for(i = 0; i < ban_count; ++i)
 322         {
 323                 if(time > ban_expire[i])
 324                         continue;
 325                 msg = strcat("#", ftos(i), ": ");
 326                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 327                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 328                 print(msg, "\n");
 329         }
 330 }
 331
 332 float Ban_GetClientIP(entity client)
 333 {
 334         // we can't use tokenizing here, as this is called during ban list parsing
 335         float i1, i2, i3, i4;
 336         string s;
 337
 338 #ifdef UID
 339         ban_uid = client.uid;
 340 #endif
 341
 342         s = client.netaddress;
 343
 344         i1 = strstrofs(s, ".", 0);
 345         if(i1 < 0)
 346                 goto ipv6;
 347         i2 = strstrofs(s, ".", i1 + 1);
 348         if(i2 < 0)
 349                 return FALSE;
 350         i3 = strstrofs(s, ".", i2 + 1);
 351         if(i3 < 0)
 352                 return FALSE;
 353         i4 = strstrofs(s, ".", i3 + 1);
 354         if(i4 >= 0)
 355                 s = substring(s, 0, i4);
 356
 357         ban_ip1 = substring(s, 0, i1); // 8
 358         ban_ip2 = substring(s, 0, i2); // 16
 359         ban_ip3 = substring(s, 0, i3); // 24
 360         ban_ip4 = strcat1(s); // 32
 361         return TRUE;
 362
 363 :ipv6
 364         i1 = strstrofs(s, ":", 0);
 365         if(i1 < 0)
 366                 return FALSE;
 367         i1 = strstrofs(s, ":", i1 + 1);
 368         if(i1 < 0)
 369                 return FALSE;
 370         i2 = strstrofs(s, ":", i1 + 1);
 371         if(i2 < 0)
 372                 return FALSE;
 373         i3 = strstrofs(s, ":", i2 + 1);
 374         if(i3 < 0)
 375                 return FALSE;
 376
 377         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 378         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 379         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 380
 381         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 382                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 383         else
 384                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 385
 386         return TRUE;
 387 }
 388
 389 float Ban_IsClientBanned(entity client, float idx)
 390 {
 391         float i, b, e;
 392         if(!ban_loaded)
 393                 Ban_LoadBans();
 394         if(!Ban_GetClientIP(client))
 395                 return FALSE;
 396         if(idx < 0)
 397         {
 398                 b = 0;
 399                 e = ban_count;
 400         }
 401         else
 402         {
 403                 b = idx;
 404                 e = idx + 1;
 405         }
 406         for(i = b; i < e; ++i)
 407         {
 408                 string s;
 409                 if(time > ban_expire[i])
 410                         continue;
 411                 s = ban_ip[i];
 412                 if(ban_ip1 == s) return TRUE;
 413                 if(ban_ip2 == s) return TRUE;
 414                 if(ban_ip3 == s) return TRUE;
 415                 if(ban_ip4 == s) return TRUE;
 416 #ifdef UID
 417                 if(ban_uid == s) return TRUE;
 418 #endif
 419         }
 420         return FALSE;
 421 }
 422
 423 float Ban_MaybeEnforceBan(entity client)
 424 {
 425         if(Ban_IsClientBanned(client, -1))
 426         {
 427                 string s;
 428                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
 429                 dropclient(client);
 430                 bprint(s);
 431                 return TRUE;
 432         }
 433         return FALSE;
 434 }
 435
 436 string Ban_Enforce(float i, string reason)
 437 {
 438         string s;
 439         entity e;
 440
 441         // Enforce our new ban
 442         s = "";
 443         FOR_EACH_REALCLIENT(e)
 444                 if(Ban_IsClientBanned(e, i))
 445                 {
 446                         if(reason != "")
 447                         {
 448                                 if(s == "")
 449                                         reason = strcat(reason, ": affects ");
 450                                 else
 451                                         reason = strcat(reason, ", ");
 452                                 reason = strcat(reason, e.netname);
 453                         }
 454                         s = strcat(s, "^1NOTE:^7 banned client ", e.netname, "^7 has to go\n");
 455                         dropclient(e);
 456                 }
 457         bprint(s);
 458
 459         return reason;
 460 }
 461
 462 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 463 {
 464         float i;
 465         float j;
 466         float bestscore;
 467
 468         // already banned?
 469         for(i = 0; i < ban_count; ++i)
 470                 if(ban_ip[i] == ip)
 471                 {
 472                         // prolong the ban
 473                         if(time + bantime > ban_expire[i])
 474                         {
 475                                 ban_expire[i] = time + bantime;
 476                                 dprint(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 477                         }
 478                         else
 479                                 dprint(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 480
 481                         // and enforce
 482                         reason = Ban_Enforce(i, reason);
 483
 484                         // and abort
 485                         if(dosync)
 486                                 if(reason != "")
 487                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 488                                                 OnlineBanList_SendBan(ip, bantime, reason);
 489
 490                         return FALSE;
 491                 }
 492
 493         // do we have a free slot?
 494         for(i = 0; i < ban_count; ++i)
 495                 if(time > ban_expire[i])
 496                         break;
 497         // no free slot? Then look for the one who would get unbanned next
 498         if(i >= BAN_MAX)
 499         {
 500                 i = 0;
 501                 bestscore = ban_expire[i];
 502                 for(j = 1; j < ban_count; ++j)
 503                 {
 504                         if(ban_expire[j] < bestscore)
 505                         {
 506                                 i = j;
 507                                 bestscore = ban_expire[i];
 508                         }
 509                 }
 510         }
 511         // if we replace someone, will we be banned longer than him (so long-term
 512         // bans never get overridden by short-term bans)
 513         if(i < ban_count)
 514         if(ban_expire[i] > time + bantime)
 515         {
 516                 print(ip, " could not get banned due to no free ban slot\n");
 517                 return FALSE;
 518         }
 519         // okay, insert our new victim as i
 520         Ban_Delete(i);
 521         dprint(ip, " has been banned for ", ftos(bantime), " seconds\n");
 522         ban_expire[i] = time + bantime;
 523         ban_ip[i] = strzone(ip);
 524         ban_count = max(ban_count, i + 1);
 525
 526         Ban_SaveBans();
 527
 528         reason = Ban_Enforce(i, reason);
 529
 530         // and abort
 531         if(dosync)
 532                 if(reason != "")
 533                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 534                                 OnlineBanList_SendBan(ip, bantime, reason);
 535
 536         return TRUE;
 537 }
 538
 539 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 540 {
 541         if(!Ban_GetClientIP(client))
 542         {
 543                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 544                 dropclient(client);
 545                 return;
 546         }
 547         // now ban him
 548         switch(masksize)
 549         {
 550                 case 1:
 551                         Ban_Insert(ban_ip1, bantime, reason, 1);
 552                         break;
 553                 case 2:
 554                         Ban_Insert(ban_ip2, bantime, reason, 1);
 555                         break;
 556                 case 3:
 557                         Ban_Insert(ban_ip3, bantime, reason, 1);
 558                         break;
 559                 case 4:
 560                 default:
 561                         Ban_Insert(ban_ip4, bantime, reason, 1);
 562                         break;
 563 #ifdef UID
 564                 case 0:
 565                         Ban_Insert(ban_uid, bantime, reason, 1);
 566                         break;
 567 #endif
 568         }
 569         /*
 570          * not needed, as we enforce the ban in Ban_Insert anyway
 571         // and kick him
 572         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 573         dropclient(client);
 574          */
 575 }
 576
 577 float GameCommand_Ban(string command)
 578 {
 579         float argc;
 580         float bantime;
 581         entity client;
 582         float entno;
 583         float masksize;
 584         string reason;
 585         float reasonarg;
 586
 587         argc = tokenize_console(command);
 588         if(argv(0) == "help")
 589         {
 590                 print("  kickban # n m p reason - kickban player n for m seconds, using mask size p (1 to 4)\n");
 591                 print("  ban ip m reason - ban an IP or range (incomplete IP, like 1.2.3) for m seconds\n");
 592                 print("  bans - list all existing bans\n");
 593                 print("  unban n - delete the entry #n from the bans list\n");
 594                 return TRUE;
 595         }
 596         if(argv(0) == "kickban")
 597         {
 598 #define INITARG(c) reasonarg = c
 599 #define GETARG(v,d) if((argc > reasonarg) && ((v = stof(argv(reasonarg))) != 0)) ++reasonarg; else v = d
 600 #define RESTARG(v) if(argc > reasonarg) v = substring(command, argv_start_index(reasonarg), strlen(command) - argv_start_index(reasonarg)); else v = ""
 601                 if(argc >= 3)
 602                 {
 603                         entno = stof(argv(2));
 604                         if(entno > maxclients || entno < 1)
 605                                 return TRUE;
 606                         client = edict_num(entno);
 607
 608                         INITARG(3);
 609                         GETARG(bantime, cvar("g_ban_default_bantime"));
 610                         GETARG(masksize, cvar("g_ban_default_masksize"));
 611                         RESTARG(reason);
 612
 613                         Ban_KickBanClient(client, bantime, masksize, reason);
 614                         return TRUE;
 615                 }
 616         }
 617         else if(argv(0) == "ban")
 618         {
 619                 if(argc >= 2)
 620                 {
 621                         string ip;
 622                         ip = argv(1);
 623
 624                         INITARG(2);
 625                         GETARG(bantime, cvar("g_ban_default_bantime"));
 626                         RESTARG(reason);
 627
 628                         Ban_Insert(ip, bantime, reason, 1);
 629                         return TRUE;
 630                 }
 631 #undef INITARG
 632 #undef GETARG
 633 #undef RESTARG
 634         }
 635         else if(argv(0) == "bans")
 636         {
 637                 Ban_View();
 638                 return TRUE;
 639         }
 640         else if(argv(0) == "unban")
 641         {
 642                 if(argc >= 2)
 643                 {
 644                         float who;
 645                         who = stof(argv(1));
 646                         Ban_Delete(who);
 647                         return TRUE;
 648                 }
 649         }
 650         return FALSE;
 651 }