qcsrc/server/ipban.qc

   1 /*
   2  * Protocol of online ban list:
   3  *
   4  * - Reporting a ban:
   5  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
   6  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
   7  * - Removing a ban:
   8  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
   9  * - Querying the ban list
  10  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  11  *
  12  *     shows the bans from the listed servers, and possibly others.
  13  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  14  *     newline ONLY (no carriage return):
  15  *
  16  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  17  *     time left in seconds
  18  *     reason of the ban
  19  *     server IP that registered the ban
  20  */
  21
  22 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  23
  24 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  25 {
  26         string uri;
  27         float i, n;
  28
  29         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
  30         uri = strcat(uri, "&ip=", uri_escape(ip));
  31         uri = strcat(uri, "&duration=", ftos(bantime));
  32         uri = strcat(uri, "&reason=", uri_escape(reason));
  33
  34         n = tokenize_console(autocvar_g_ban_sync_uri);
  35         if(n >= MAX_IPBAN_URIS)
  36                 n = MAX_IPBAN_URIS;
  37         for(i = 0; i < n; ++i)
  38         {
  39                 if(strstrofs(argv(i), "?", 0) >= 0)
  40                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  41                 else
  42                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  43         }
  44 }
  45
  46 void OnlineBanList_SendUnban(string ip)
  47 {
  48         string uri;
  49         float i, n;
  50
  51         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
  52         uri = strcat(uri, "&ip=", uri_escape(ip));
  53
  54         n = tokenize_console(autocvar_g_ban_sync_uri);
  55         if(n >= MAX_IPBAN_URIS)
  56                 n = MAX_IPBAN_URIS;
  57         for(i = 0; i < n; ++i)
  58         {
  59                 if(strstrofs(argv(i), "?", 0) >= 0)
  60                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  61                 else
  62                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  63         }
  64 }
  65
  66 string OnlineBanList_Servers;
  67 float OnlineBanList_Timeout;
  68 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  69
  70 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  71 {
  72         float n, i, j, l;
  73         string ip;
  74         float timeleft;
  75         string reason;
  76         string serverip;
  77         float syncinterval;
  78         string uri;
  79
  80         id -= URI_GET_IPBAN;
  81
  82         if(id >= MAX_IPBAN_URIS)
  83         {
  84                 print("Received ban list for invalid ID\n");
  85                 return;
  86         }
  87
  88         tokenize_console(autocvar_g_ban_sync_uri);
  89         uri = argv(id);
  90
  91         print("Received ban list from ", uri, ": ");
  92
  93         if(OnlineBanList_RequestWaiting[id] == 0)
  94         {
  95                 print("rejected (unexpected)\n");
  96                 return;
  97         }
  98
  99         OnlineBanList_RequestWaiting[id] = 0;
 100
 101         if(time > OnlineBanList_Timeout)
 102         {
 103                 print("rejected (too late)\n");
 104                 return;
 105         }
 106
 107         syncinterval = autocvar_g_ban_sync_interval;
 108         if(syncinterval == 0)
 109         {
 110                 print("rejected (syncing disabled)\n");
 111                 return;
 112         }
 113         if(syncinterval > 0)
 114                 syncinterval *= 60;
 115
 116         if(status != 0)
 117         {
 118                 print("error: status is ", ftos(status), "\n");
 119                 return;
 120         }
 121
 122         if(substring(data, 0, 1) == "<")
 123         {
 124                 print("error: received HTML instead of a ban list\n");
 125                 return;
 126         }
 127
 128         if(strstrofs(data, "\r", 0) != -1)
 129         {
 130                 print("error: received carriage returns\n");
 131                 return;
 132         }
 133
 134         if(data == "")
 135                 n = 0;
 136         else
 137                 n = tokenizebyseparator(data, "\n");
 138
 139         if(mod(n, 4) != 0)
 140         {
 141                 print("error: received invalid item count: ", ftos(n), "\n");
 142                 return;
 143         }
 144
 145         print("OK, ", ftos(n / 4), " items\n");
 146
 147         for(i = 0; i < n; i += 4)
 148         {
 149                 ip = argv(i);
 150                 timeleft = stof(argv(i + 1));
 151                 reason = argv(i + 2);
 152                 serverip = argv(i + 3);
 153
 154                 dprint("received ban list item ", ftos(i / 4), ": ip=", ip);
 155                 dprint(" timeleft=", ftos(timeleft), " reason=", reason);
 156                 dprint(" serverip=", serverip, "\n");
 157
 158                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
 159                 if(timeleft < 0)
 160                         continue;
 161
 162                 l = strlen(ip);
 163                 if(l != 44) // length 44 is a cryptographic ID
 164                 {
 165                         for(j = 0; j < l; ++j)
 166                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 167                                 {
 168                                         print("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 169                                         goto skip;
 170                                 }
 171                 }
 172
 173                 if(autocvar_g_ban_sync_trusted_servers_verify)
 174                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 175                                 continue;
 176
 177                 if(syncinterval > 0)
 178                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 179                         // the ban will be prolonged on the next sync
 180                         // or expire 5 seconds after the next timeout
 181                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 182                 print("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 183                 print(reason, "\n");
 184
 185 :skip
 186         }
 187 }
 188
 189 void OnlineBanList_Think()
 190 {
 191         float argc;
 192         string uri;
 193         float i, n;
 194
 195         if(autocvar_g_ban_sync_uri == "")
 196                 goto killme;
 197         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
 198                 goto killme;
 199         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
 200         if(argc == 0)
 201                 goto killme;
 202
 203         if(OnlineBanList_Servers)
 204                 strunzone(OnlineBanList_Servers);
 205         OnlineBanList_Servers = argv(0);
 206         for(i = 1; i < argc; ++i)
 207                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 208         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 209
 210         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
 211         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 212
 213         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
 214
 215         n = tokenize_console(autocvar_g_ban_sync_uri);
 216         if(n >= MAX_IPBAN_URIS)
 217                 n = MAX_IPBAN_URIS;
 218         for(i = 0; i < n; ++i)
 219         {
 220                 if(OnlineBanList_RequestWaiting[i])
 221                         continue;
 222                 OnlineBanList_RequestWaiting[i] = 1;
 223                 if(strstrofs(argv(i), "?", 0) >= 0)
 224                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 225                 else
 226                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 227         }
 228
 229         if(autocvar_g_ban_sync_interval > 0)
 230                 self.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
 231         else
 232                 goto killme;
 233         return;
 234
 235 :killme
 236         remove(self);
 237 }
 238
 239 #define BAN_MAX 256
 240 float ban_loaded;
 241 string ban_ip[BAN_MAX];
 242 float ban_expire[BAN_MAX];
 243 float ban_count;
 244
 245 string ban_ip1;
 246 string ban_ip2;
 247 string ban_ip3;
 248 string ban_ip4;
 249 string ban_idfp;
 250
 251 void Ban_SaveBans()
 252 {
 253         string out;
 254         float i;
 255
 256         if(!ban_loaded)
 257                 return;
 258
 259         // version of list
 260         out = "1";
 261         for(i = 0; i < ban_count; ++i)
 262         {
 263                 if(time > ban_expire[i])
 264                         continue;
 265                 out = strcat(out, " ", ban_ip[i]);
 266                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 267         }
 268         if(strlen(out) <= 1) // no real entries
 269                 cvar_set("g_banned_list", "");
 270         else
 271                 cvar_set("g_banned_list", out);
 272 }
 273
 274 float Ban_Delete(float i)
 275 {
 276         if(i < 0)
 277                 return FALSE;
 278         if(i >= ban_count)
 279                 return FALSE;
 280         if(ban_expire[i] == 0)
 281                 return FALSE;
 282         if(ban_expire[i] > 0)
 283         {
 284                 OnlineBanList_SendUnban(ban_ip[i]);
 285                 strunzone(ban_ip[i]);
 286         }
 287         ban_expire[i] = 0;
 288         ban_ip[i] = "";
 289         Ban_SaveBans();
 290         return TRUE;
 291 }
 292
 293 void Ban_LoadBans()
 294 {
 295         float i, n;
 296         for(i = 0; i < ban_count; ++i)
 297                 Ban_Delete(i);
 298         ban_count = 0;
 299         ban_loaded = TRUE;
 300         n = tokenize_console(autocvar_g_banned_list);
 301         if(stof(argv(0)) == 1)
 302         {
 303                 ban_count = (n - 1) / 2;
 304                 for(i = 0; i < ban_count; ++i)
 305                 {
 306                         ban_ip[i] = strzone(argv(2*i+1));
 307                         ban_expire[i] = time + stof(argv(2*i+2));
 308                 }
 309         }
 310
 311         entity e;
 312         e = spawn();
 313         e.classname = "bansyncer";
 314         e.think = OnlineBanList_Think;
 315         e.nextthink = time + 1;
 316 }
 317
 318 void Ban_View()
 319 {
 320         float i, n;
 321         string msg;
 322
 323         print("^2Listing all existing active bans:\n");
 324
 325         for(i = 0; i < ban_count; ++i)
 326         {
 327                 if(time > ban_expire[i])
 328                         continue;
 329
 330                 ++n; // total number of existing bans
 331
 332                 msg = strcat("#", ftos(i), ": ");
 333                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 334                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 335
 336                 print("  ", msg, "\n");
 337         }
 338
 339         print("^2Done listing all active (", ftos(n), ") bans.\n");
 340 }
 341
 342 float Ban_GetClientIP(entity client)
 343 {
 344         // we can't use tokenizing here, as this is called during ban list parsing
 345         float i1, i2, i3, i4;
 346         string s;
 347
 348         if(client.crypto_keyfp)
 349                 ban_idfp = client.crypto_idfp;
 350         else
 351                 ban_idfp = string_null;
 352
 353         s = client.netaddress;
 354
 355         i1 = strstrofs(s, ".", 0);
 356         if(i1 < 0)
 357                 goto ipv6;
 358         i2 = strstrofs(s, ".", i1 + 1);
 359         if(i2 < 0)
 360                 return FALSE;
 361         i3 = strstrofs(s, ".", i2 + 1);
 362         if(i3 < 0)
 363                 return FALSE;
 364         i4 = strstrofs(s, ".", i3 + 1);
 365         if(i4 >= 0)
 366                 s = substring(s, 0, i4);
 367
 368         ban_ip1 = substring(s, 0, i1); // 8
 369         ban_ip2 = substring(s, 0, i2); // 16
 370         ban_ip3 = substring(s, 0, i3); // 24
 371         ban_ip4 = strcat1(s); // 32
 372         return TRUE;
 373
 374 :ipv6
 375         i1 = strstrofs(s, ":", 0);
 376         if(i1 < 0)
 377                 return FALSE;
 378         i1 = strstrofs(s, ":", i1 + 1);
 379         if(i1 < 0)
 380                 return FALSE;
 381         i2 = strstrofs(s, ":", i1 + 1);
 382         if(i2 < 0)
 383                 return FALSE;
 384         i3 = strstrofs(s, ":", i2 + 1);
 385         if(i3 < 0)
 386                 return FALSE;
 387
 388         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 389         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 390         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 391
 392         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 393                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 394         else
 395                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 396
 397         return TRUE;
 398 }
 399
 400 float Ban_IsClientBanned(entity client, float idx)
 401 {
 402         float i, b, e, ipbanned;
 403         if(!ban_loaded)
 404                 Ban_LoadBans();
 405         if(!Ban_GetClientIP(client))
 406                 return FALSE;
 407         if(idx < 0)
 408         {
 409                 b = 0;
 410                 e = ban_count;
 411         }
 412         else
 413         {
 414                 b = idx;
 415                 e = idx + 1;
 416         }
 417         ipbanned = FALSE;
 418         for(i = b; i < e; ++i)
 419         {
 420                 string s;
 421                 if(time > ban_expire[i])
 422                         continue;
 423                 s = ban_ip[i];
 424                 if(ban_ip1 == s) ipbanned = TRUE;
 425                 if(ban_ip2 == s) ipbanned = TRUE;
 426                 if(ban_ip3 == s) ipbanned = TRUE;
 427                 if(ban_ip4 == s) ipbanned = TRUE;
 428                 if(ban_idfp == s) return TRUE;
 429         }
 430         if(ipbanned)
 431                 if(!autocvar_g_banned_list_idmode || !ban_idfp)
 432                         return TRUE;
 433         return FALSE;
 434 }
 435
 436 float Ban_MaybeEnforceBan(entity client)
 437 {
 438         if(Ban_IsClientBanned(client, -1))
 439         {
 440                 string s;
 441                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
 442                 dropclient(client);
 443                 bprint(s);
 444                 return TRUE;
 445         }
 446         return FALSE;
 447 }
 448
 449 string Ban_Enforce(float i, string reason)
 450 {
 451         string s;
 452         entity e;
 453
 454         // Enforce our new ban
 455         s = "";
 456         FOR_EACH_REALCLIENT(e)
 457                 if(Ban_IsClientBanned(e, i))
 458                 {
 459                         if(reason != "")
 460                         {
 461                                 if(s == "")
 462                                         reason = strcat(reason, ": affects ");
 463                                 else
 464                                         reason = strcat(reason, ", ");
 465                                 reason = strcat(reason, e.netname);
 466                         }
 467                         s = strcat(s, "^1NOTE:^7 banned client ", e.netname, "^7 has to go\n");
 468                         dropclient(e);
 469                 }
 470         bprint(s);
 471
 472         return reason;
 473 }
 474
 475 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 476 {
 477         float i;
 478         float j;
 479         float bestscore;
 480
 481         // already banned?
 482         for(i = 0; i < ban_count; ++i)
 483                 if(ban_ip[i] == ip)
 484                 {
 485                         // prolong the ban
 486                         if(time + bantime > ban_expire[i])
 487                         {
 488                                 ban_expire[i] = time + bantime;
 489                                 dprint(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 490                         }
 491                         else
 492                                 dprint(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 493
 494                         // and enforce
 495                         reason = Ban_Enforce(i, reason);
 496
 497                         // and abort
 498                         if(dosync)
 499                                 if(reason != "")
 500                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 501                                                 OnlineBanList_SendBan(ip, bantime, reason);
 502
 503                         return FALSE;
 504                 }
 505
 506         // do we have a free slot?
 507         for(i = 0; i < ban_count; ++i)
 508                 if(time > ban_expire[i])
 509                         break;
 510         // no free slot? Then look for the one who would get unbanned next
 511         if(i >= BAN_MAX)
 512         {
 513                 i = 0;
 514                 bestscore = ban_expire[i];
 515                 for(j = 1; j < ban_count; ++j)
 516                 {
 517                         if(ban_expire[j] < bestscore)
 518                         {
 519                                 i = j;
 520                                 bestscore = ban_expire[i];
 521                         }
 522                 }
 523         }
 524         // if we replace someone, will we be banned longer than him (so long-term
 525         // bans never get overridden by short-term bans)
 526         if(i < ban_count)
 527         if(ban_expire[i] > time + bantime)
 528         {
 529                 print(ip, " could not get banned due to no free ban slot\n");
 530                 return FALSE;
 531         }
 532         // okay, insert our new victim as i
 533         Ban_Delete(i);
 534         dprint(ip, " has been banned for ", ftos(bantime), " seconds\n");
 535         ban_expire[i] = time + bantime;
 536         ban_ip[i] = strzone(ip);
 537         ban_count = max(ban_count, i + 1);
 538
 539         Ban_SaveBans();
 540
 541         reason = Ban_Enforce(i, reason);
 542
 543         // and abort
 544         if(dosync)
 545                 if(reason != "")
 546                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 547                                 OnlineBanList_SendBan(ip, bantime, reason);
 548
 549         return TRUE;
 550 }
 551
 552 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 553 {
 554         if(!Ban_GetClientIP(client))
 555         {
 556                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 557                 dropclient(client);
 558                 return;
 559         }
 560         // now ban him
 561         switch(masksize)
 562         {
 563                 case 1:
 564                         Ban_Insert(ban_ip1, bantime, reason, 1);
 565                         break;
 566                 case 2:
 567                         Ban_Insert(ban_ip2, bantime, reason, 1);
 568                         break;
 569                 case 3:
 570                         Ban_Insert(ban_ip3, bantime, reason, 1);
 571                         break;
 572                 case 4:
 573                 default:
 574                         Ban_Insert(ban_ip4, bantime, reason, 1);
 575                         break;
 576         }
 577         if(ban_idfp)
 578                 Ban_Insert(ban_idfp, bantime, reason, 1);
 579         /*
 580          * not needed, as we enforce the ban in Ban_Insert anyway
 581         // and kick him
 582         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 583         dropclient(client);
 584          */
 585 }