qcsrc/server/ipban.qc

   1 #include "ipban.qh"
   2
   3 #include "autocvars.qh"
   4 #include "command/banning.qh"
   5 #include "defs.qh"
   6 #include "../common/constants.qh"
   7 #include "../common/util.qh"
   8
   9 /*
  10  * Protocol of online ban list:
  11  *
  12  * - Reporting a ban:
  13  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
  14  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
  15  * - Removing a ban:
  16  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
  17  * - Querying the ban list
  18  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  19  *
  20  *     shows the bans from the listed servers, and possibly others.
  21  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  22  *     newline ONLY (no carriage return):
  23  *
  24  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  25  *     time left in seconds
  26  *     reason of the ban
  27  *     server IP that registered the ban
  28  */
  29
  30 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
  31
  32 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  33
  34 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  35 {
  36         string uri;
  37         float i, n;
  38
  39         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
  40         uri = strcat(uri, "&ip=", uri_escape(ip));
  41         uri = strcat(uri, "&duration=", ftos(bantime));
  42         uri = strcat(uri, "&reason=", uri_escape(reason));
  43
  44         n = tokenize_console(autocvar_g_ban_sync_uri);
  45         if(n >= MAX_IPBAN_URIS)
  46                 n = MAX_IPBAN_URIS;
  47         for(i = 0; i < n; ++i)
  48         {
  49                 if(strstrofs(argv(i), "?", 0) >= 0)
  50                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  51                 else
  52                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  53         }
  54 }
  55
  56 void OnlineBanList_SendUnban(string ip)
  57 {
  58         string uri;
  59         float i, n;
  60
  61         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
  62         uri = strcat(uri, "&ip=", uri_escape(ip));
  63
  64         n = tokenize_console(autocvar_g_ban_sync_uri);
  65         if(n >= MAX_IPBAN_URIS)
  66                 n = MAX_IPBAN_URIS;
  67         for(i = 0; i < n; ++i)
  68         {
  69                 if(strstrofs(argv(i), "?", 0) >= 0)
  70                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  71                 else
  72                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  73         }
  74 }
  75
  76 string OnlineBanList_Servers;
  77 float OnlineBanList_Timeout;
  78 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  79
  80 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  81 {
  82         float n, i, j, l;
  83         string ip;
  84         float timeleft;
  85         string reason;
  86         string serverip;
  87         float syncinterval;
  88         string uri;
  89
  90         id -= URI_GET_IPBAN;
  91
  92         if(id >= MAX_IPBAN_URIS)
  93         {
  94                 LOG_INFO("Received ban list for invalid ID\n");
  95                 return;
  96         }
  97
  98         tokenize_console(autocvar_g_ban_sync_uri);
  99         uri = argv(id);
 100
 101         LOG_INFO("Received ban list from ", uri, ": ");
 102
 103         if(OnlineBanList_RequestWaiting[id] == 0)
 104         {
 105                 LOG_INFO("rejected (unexpected)\n");
 106                 return;
 107         }
 108
 109         OnlineBanList_RequestWaiting[id] = 0;
 110
 111         if(time > OnlineBanList_Timeout)
 112         {
 113                 LOG_INFO("rejected (too late)\n");
 114                 return;
 115         }
 116
 117         syncinterval = autocvar_g_ban_sync_interval;
 118         if(syncinterval == 0)
 119         {
 120                 LOG_INFO("rejected (syncing disabled)\n");
 121                 return;
 122         }
 123         if(syncinterval > 0)
 124                 syncinterval *= 60;
 125
 126         if(status != 0)
 127         {
 128                 LOG_INFO("error: status is ", ftos(status), "\n");
 129                 return;
 130         }
 131
 132         if(substring(data, 0, 1) == "<")
 133         {
 134                 LOG_INFO("error: received HTML instead of a ban list\n");
 135                 return;
 136         }
 137
 138         if(strstrofs(data, "\r", 0) != -1)
 139         {
 140                 LOG_INFO("error: received carriage returns\n");
 141                 return;
 142         }
 143
 144         if(data == "")
 145                 n = 0;
 146         else
 147                 n = tokenizebyseparator(data, "\n");
 148
 149         if((n % 4) != 0)
 150         {
 151                 LOG_INFO("error: received invalid item count: ", ftos(n), "\n");
 152                 return;
 153         }
 154
 155         LOG_INFO("OK, ", ftos(n / 4), " items\n");
 156
 157         for(i = 0; i < n; i += 4)
 158         {
 159                 ip = argv(i);
 160                 timeleft = stof(argv(i + 1));
 161                 reason = argv(i + 2);
 162                 serverip = argv(i + 3);
 163
 164                 LOG_TRACE("received ban list item ", ftos(i / 4), ": ip=", ip);
 165                 LOG_TRACE(" timeleft=", ftos(timeleft), " reason=", reason);
 166                 LOG_TRACE(" serverip=", serverip, "\n");
 167
 168                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
 169                 if(timeleft < 0)
 170                         continue;
 171
 172                 l = strlen(ip);
 173                 if(l != 44) // length 44 is a cryptographic ID
 174                 {
 175                         for(j = 0; j < l; ++j)
 176                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 177                                 {
 178                                         LOG_INFO("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 179                                         goto skip;
 180                                 }
 181                 }
 182
 183                 if(autocvar_g_ban_sync_trusted_servers_verify)
 184                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 185                                 continue;
 186
 187                 if(syncinterval > 0)
 188                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 189                         // the ban will be prolonged on the next sync
 190                         // or expire 5 seconds after the next timeout
 191                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 192                 LOG_INFO("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 193                 LOG_INFO(reason, "\n");
 194
 195 :skip
 196         }
 197 }
 198
 199 void OnlineBanList_Think()
 200 {SELFPARAM();
 201         float argc;
 202         string uri;
 203         float i, n;
 204
 205         if(autocvar_g_ban_sync_uri == "")
 206                 goto killme;
 207         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
 208                 goto killme;
 209         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
 210         if(argc == 0)
 211                 goto killme;
 212
 213         if(OnlineBanList_Servers)
 214                 strunzone(OnlineBanList_Servers);
 215         OnlineBanList_Servers = argv(0);
 216         for(i = 1; i < argc; ++i)
 217                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 218         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 219
 220         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
 221         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 222
 223         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
 224
 225         n = tokenize_console(autocvar_g_ban_sync_uri);
 226         if(n >= MAX_IPBAN_URIS)
 227                 n = MAX_IPBAN_URIS;
 228         for(i = 0; i < n; ++i)
 229         {
 230                 if(OnlineBanList_RequestWaiting[i])
 231                         continue;
 232                 OnlineBanList_RequestWaiting[i] = 1;
 233                 if(strstrofs(argv(i), "?", 0) >= 0)
 234                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 235                 else
 236                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 237         }
 238
 239         if(autocvar_g_ban_sync_interval > 0)
 240                 self.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
 241         else
 242                 goto killme;
 243         return;
 244
 245 :killme
 246         remove(self);
 247 }
 248
 249 const float BAN_MAX = 256;
 250 float ban_loaded;
 251 string ban_ip[BAN_MAX];
 252 float ban_expire[BAN_MAX];
 253 float ban_count;
 254
 255 string ban_ip1;
 256 string ban_ip2;
 257 string ban_ip3;
 258 string ban_ip4;
 259 string ban_idfp;
 260
 261 void Ban_SaveBans()
 262 {
 263         string out;
 264         float i;
 265
 266         if(!ban_loaded)
 267                 return;
 268
 269         // version of list
 270         out = "1";
 271         for(i = 0; i < ban_count; ++i)
 272         {
 273                 if(time > ban_expire[i])
 274                         continue;
 275                 out = strcat(out, " ", ban_ip[i]);
 276                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 277         }
 278         if(strlen(out) <= 1) // no real entries
 279                 cvar_set("g_banned_list", "");
 280         else
 281                 cvar_set("g_banned_list", out);
 282 }
 283
 284 float Ban_Delete(float i)
 285 {
 286         if(i < 0)
 287                 return false;
 288         if(i >= ban_count)
 289                 return false;
 290         if(ban_expire[i] == 0)
 291                 return false;
 292         if(ban_expire[i] > 0)
 293         {
 294                 OnlineBanList_SendUnban(ban_ip[i]);
 295                 strunzone(ban_ip[i]);
 296         }
 297         ban_expire[i] = 0;
 298         ban_ip[i] = "";
 299         Ban_SaveBans();
 300         return true;
 301 }
 302
 303 void Ban_LoadBans()
 304 {
 305         float i, n;
 306         for(i = 0; i < ban_count; ++i)
 307                 Ban_Delete(i);
 308         ban_count = 0;
 309         ban_loaded = true;
 310         n = tokenize_console(autocvar_g_banned_list);
 311         if(stof(argv(0)) == 1)
 312         {
 313                 ban_count = (n - 1) / 2;
 314                 for(i = 0; i < ban_count; ++i)
 315                 {
 316                         ban_ip[i] = strzone(argv(2*i+1));
 317                         ban_expire[i] = time + stof(argv(2*i+2));
 318                 }
 319         }
 320
 321         entity e;
 322         e = spawn();
 323         e.classname = "bansyncer";
 324         e.think = OnlineBanList_Think;
 325         e.nextthink = time + 1;
 326 }
 327
 328 void Ban_View()
 329 {
 330         float i, n;
 331         string msg;
 332
 333         LOG_INFO("^2Listing all existing active bans:\n");
 334
 335         n = 0;
 336         for(i = 0; i < ban_count; ++i)
 337         {
 338                 if(time > ban_expire[i])
 339                         continue;
 340
 341                 ++n; // total number of existing bans
 342
 343                 msg = strcat("#", ftos(i), ": ");
 344                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 345                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 346
 347                 LOG_INFO("  ", msg, "\n");
 348         }
 349
 350         LOG_INFO("^2Done listing all active (", ftos(n), ") bans.\n");
 351 }
 352
 353 float Ban_GetClientIP(entity client)
 354 {
 355         // we can't use tokenizing here, as this is called during ban list parsing
 356         float i1, i2, i3, i4;
 357         string s;
 358
 359         if(client.crypto_idfp_signed)
 360                 ban_idfp = client.crypto_idfp;
 361         else
 362                 ban_idfp = string_null;
 363
 364         s = client.netaddress;
 365
 366         i1 = strstrofs(s, ".", 0);
 367         if(i1 < 0)
 368                 goto ipv6;
 369         i2 = strstrofs(s, ".", i1 + 1);
 370         if(i2 < 0)
 371                 return false;
 372         i3 = strstrofs(s, ".", i2 + 1);
 373         if(i3 < 0)
 374                 return false;
 375         i4 = strstrofs(s, ".", i3 + 1);
 376         if(i4 >= 0)
 377                 s = substring(s, 0, i4);
 378
 379         ban_ip1 = substring(s, 0, i1); // 8
 380         ban_ip2 = substring(s, 0, i2); // 16
 381         ban_ip3 = substring(s, 0, i3); // 24
 382         ban_ip4 = strcat1(s); // 32
 383         return true;
 384
 385 :ipv6
 386         i1 = strstrofs(s, ":", 0);
 387         if(i1 < 0)
 388                 return false;
 389         i1 = strstrofs(s, ":", i1 + 1);
 390         if(i1 < 0)
 391                 return false;
 392         i2 = strstrofs(s, ":", i1 + 1);
 393         if(i2 < 0)
 394                 return false;
 395         i3 = strstrofs(s, ":", i2 + 1);
 396         if(i3 < 0)
 397                 return false;
 398
 399         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 400         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 401         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 402
 403         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 404                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 405         else
 406                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 407
 408         return true;
 409 }
 410
 411 float Ban_IsClientBanned(entity client, float idx)
 412 {
 413         float i, b, e, ipbanned;
 414         if(!ban_loaded)
 415                 Ban_LoadBans();
 416         if(!Ban_GetClientIP(client))
 417                 return false;
 418         if(idx < 0)
 419         {
 420                 b = 0;
 421                 e = ban_count;
 422         }
 423         else
 424         {
 425                 b = idx;
 426                 e = idx + 1;
 427         }
 428         ipbanned = false;
 429         for(i = b; i < e; ++i)
 430         {
 431                 string s;
 432                 if(time > ban_expire[i])
 433                         continue;
 434                 s = ban_ip[i];
 435                 if(ban_ip1 == s) ipbanned = true;
 436                 if(ban_ip2 == s) ipbanned = true;
 437                 if(ban_ip3 == s) ipbanned = true;
 438                 if(ban_ip4 == s) ipbanned = true;
 439                 if(ban_idfp == s) return true;
 440         }
 441         if(ipbanned)
 442         {
 443                 if(!autocvar_g_banned_list_idmode)
 444                         return true;
 445                 if (!ban_idfp)
 446                         return true;
 447         }
 448         return false;
 449 }
 450
 451 float Ban_MaybeEnforceBan(entity client)
 452 {
 453         if(Ban_IsClientBanned(client, -1))
 454         {
 455                 string s;
 456                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
 457                 dropclient(client);
 458                 bprint(s);
 459                 return true;
 460         }
 461         return false;
 462 }
 463
 464 .float ban_checked;
 465 float Ban_MaybeEnforceBanOnce(entity client)
 466 {
 467         if(client.ban_checked)
 468                 return false;
 469         client.ban_checked = true;
 470         return Ban_MaybeEnforceBan(client);
 471 }
 472
 473 string Ban_Enforce(float i, string reason)
 474 {
 475         string s;
 476         entity e;
 477
 478         // Enforce our new ban
 479         s = "";
 480         FOR_EACH_CLIENTSLOT(e)
 481                 if (IS_REAL_CLIENT(e))
 482                 if(Ban_IsClientBanned(e, i))
 483                 {
 484                         if(reason != "")
 485                         {
 486                                 if(s == "")
 487                                         reason = strcat(reason, ": affects ");
 488                                 else
 489                                         reason = strcat(reason, ", ");
 490                                 reason = strcat(reason, e.netname);
 491                         }
 492                         s = strcat(s, "^1NOTE:^7 banned client ", e.netaddress, "^7 has to go\n");
 493                         dropclient(e);
 494                 }
 495         bprint(s);
 496
 497         return reason;
 498 }
 499
 500 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 501 {
 502         float i;
 503         float j;
 504         float bestscore;
 505
 506         // already banned?
 507         for(i = 0; i < ban_count; ++i)
 508                 if(ban_ip[i] == ip)
 509                 {
 510                         // prolong the ban
 511                         if(time + bantime > ban_expire[i])
 512                         {
 513                                 ban_expire[i] = time + bantime;
 514                                 LOG_TRACE(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 515                         }
 516                         else
 517                                 LOG_TRACE(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 518
 519                         // and enforce
 520                         reason = Ban_Enforce(i, reason);
 521
 522                         // and abort
 523                         if(dosync)
 524                                 if(reason != "")
 525                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 526                                                 OnlineBanList_SendBan(ip, bantime, reason);
 527
 528                         return false;
 529                 }
 530
 531         // do we have a free slot?
 532         for(i = 0; i < ban_count; ++i)
 533                 if(time > ban_expire[i])
 534                         break;
 535         // no free slot? Then look for the one who would get unbanned next
 536         if(i >= BAN_MAX)
 537         {
 538                 i = 0;
 539                 bestscore = ban_expire[i];
 540                 for(j = 1; j < ban_count; ++j)
 541                 {
 542                         if(ban_expire[j] < bestscore)
 543                         {
 544                                 i = j;
 545                                 bestscore = ban_expire[i];
 546                         }
 547                 }
 548         }
 549         // if we replace someone, will we be banned longer than him (so long-term
 550         // bans never get overridden by short-term bans)
 551         if(i < ban_count)
 552         if(ban_expire[i] > time + bantime)
 553         {
 554                 LOG_INFO(ip, " could not get banned due to no free ban slot\n");
 555                 return false;
 556         }
 557         // okay, insert our new victim as i
 558         Ban_Delete(i);
 559         LOG_TRACE(ip, " has been banned for ", ftos(bantime), " seconds\n");
 560         ban_expire[i] = time + bantime;
 561         ban_ip[i] = strzone(ip);
 562         ban_count = max(ban_count, i + 1);
 563
 564         Ban_SaveBans();
 565
 566         reason = Ban_Enforce(i, reason);
 567
 568         // and abort
 569         if(dosync)
 570                 if(reason != "")
 571                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 572                                 OnlineBanList_SendBan(ip, bantime, reason);
 573
 574         return true;
 575 }
 576
 577 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 578 {
 579         string ip, id;
 580         if(!Ban_GetClientIP(client))
 581         {
 582                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 583                 dropclient(client);
 584                 return;
 585         }
 586
 587         // who to ban?
 588         switch(masksize)
 589         {
 590                 case 1:
 591                         ip = strcat1(ban_ip1);
 592                         break;
 593                 case 2:
 594                         ip = strcat1(ban_ip2);
 595                         break;
 596                 case 3:
 597                         ip = strcat1(ban_ip3);
 598                         break;
 599                 case 4:
 600                 default:
 601                         ip = strcat1(ban_ip4);
 602                         break;
 603         }
 604         if(ban_idfp)
 605                 id = strcat1(ban_idfp);
 606         else
 607                 id = string_null;
 608
 609         Ban_Insert(ip, bantime, reason, 1);
 610         if(id)
 611                 Ban_Insert(id, bantime, reason, 1);
 612         /*
 613          * not needed, as we enforce the ban in Ban_Insert anyway
 614         // and kick him
 615         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 616         dropclient(client);
 617          */
 618 }