qcsrc/server/ipban.qc

   1 #include "ipban.qh"
   2
   3 #include <server/defs.qh>
   4 #include <server/miscfunctions.qh>
   5 #include "autocvars.qh"
   6 #include "command/banning.qh"
   7 #include "defs.qh"
   8 #include "../common/constants.qh"
   9 #include "../common/util.qh"
  10
  11 /*
  12  * Protocol of online ban list:
  13  *
  14  * - Reporting a ban:
  15  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
  16  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
  17  * - Removing a ban:
  18  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
  19  * - Querying the ban list
  20  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  21  *
  22  *     shows the bans from the listed servers, and possibly others.
  23  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  24  *     newline ONLY (no carriage return):
  25  *
  26  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  27  *     time left in seconds
  28  *     reason of the ban
  29  *     server IP that registered the ban
  30  */
  31
  32 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
  33
  34 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  35
  36 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  37 {
  38         string uri;
  39         float i, n;
  40
  41         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
  42         uri = strcat(uri, "&ip=", uri_escape(ip));
  43         uri = strcat(uri, "&duration=", ftos(bantime));
  44         uri = strcat(uri, "&reason=", uri_escape(reason));
  45
  46         n = tokenize_console(autocvar_g_ban_sync_uri);
  47         if(n >= MAX_IPBAN_URIS)
  48                 n = MAX_IPBAN_URIS;
  49         for(i = 0; i < n; ++i)
  50         {
  51                 if(strstrofs(argv(i), "?", 0) >= 0)
  52                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  53                 else
  54                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  55         }
  56 }
  57
  58 void OnlineBanList_SendUnban(string ip)
  59 {
  60         string uri;
  61         float i, n;
  62
  63         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
  64         uri = strcat(uri, "&ip=", uri_escape(ip));
  65
  66         n = tokenize_console(autocvar_g_ban_sync_uri);
  67         if(n >= MAX_IPBAN_URIS)
  68                 n = MAX_IPBAN_URIS;
  69         for(i = 0; i < n; ++i)
  70         {
  71                 if(strstrofs(argv(i), "?", 0) >= 0)
  72                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  73                 else
  74                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  75         }
  76 }
  77
  78 string OnlineBanList_Servers;
  79 float OnlineBanList_Timeout;
  80 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  81
  82 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  83 {
  84         float n, i, j, l;
  85         string ip;
  86         float timeleft;
  87         string reason;
  88         string serverip;
  89         float syncinterval;
  90         string uri;
  91
  92         id -= URI_GET_IPBAN;
  93
  94         if(id >= MAX_IPBAN_URIS)
  95         {
  96                 LOG_INFO("Received ban list for invalid ID\n");
  97                 return;
  98         }
  99
 100         tokenize_console(autocvar_g_ban_sync_uri);
 101         uri = argv(id);
 102
 103         LOG_INFO("Received ban list from ", uri, ": ");
 104
 105         if(OnlineBanList_RequestWaiting[id] == 0)
 106         {
 107                 LOG_INFO("rejected (unexpected)\n");
 108                 return;
 109         }
 110
 111         OnlineBanList_RequestWaiting[id] = 0;
 112
 113         if(time > OnlineBanList_Timeout)
 114         {
 115                 LOG_INFO("rejected (too late)\n");
 116                 return;
 117         }
 118
 119         syncinterval = autocvar_g_ban_sync_interval;
 120         if(syncinterval == 0)
 121         {
 122                 LOG_INFO("rejected (syncing disabled)\n");
 123                 return;
 124         }
 125         if(syncinterval > 0)
 126                 syncinterval *= 60;
 127
 128         if(status != 0)
 129         {
 130                 LOG_INFO("error: status is ", ftos(status), "\n");
 131                 return;
 132         }
 133
 134         if(substring(data, 0, 1) == "<")
 135         {
 136                 LOG_INFO("error: received HTML instead of a ban list\n");
 137                 return;
 138         }
 139
 140         if(strstrofs(data, "\r", 0) != -1)
 141         {
 142                 LOG_INFO("error: received carriage returns\n");
 143                 return;
 144         }
 145
 146         if(data == "")
 147                 n = 0;
 148         else
 149                 n = tokenizebyseparator(data, "\n");
 150
 151         if((n % 4) != 0)
 152         {
 153                 LOG_INFO("error: received invalid item count: ", ftos(n), "\n");
 154                 return;
 155         }
 156
 157         LOG_INFO("OK, ", ftos(n / 4), " items\n");
 158
 159         for(i = 0; i < n; i += 4)
 160         {
 161                 ip = argv(i);
 162                 timeleft = stof(argv(i + 1));
 163                 reason = argv(i + 2);
 164                 serverip = argv(i + 3);
 165
 166                 LOG_TRACE("received ban list item ", ftos(i / 4), ": ip=", ip);
 167                 LOG_TRACE(" timeleft=", ftos(timeleft), " reason=", reason);
 168                 LOG_TRACE(" serverip=", serverip);
 169
 170                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
 171                 if(timeleft < 0)
 172                         continue;
 173
 174                 l = strlen(ip);
 175                 if(l != 44) // length 44 is a cryptographic ID
 176                 {
 177                         for(j = 0; j < l; ++j)
 178                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 179                                 {
 180                                         LOG_INFO("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 181                                         goto skip;
 182                                 }
 183                 }
 184
 185                 if(autocvar_g_ban_sync_trusted_servers_verify)
 186                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 187                                 continue;
 188
 189                 if(syncinterval > 0)
 190                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 191                         // the ban will be prolonged on the next sync
 192                         // or expire 5 seconds after the next timeout
 193                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 194                 LOG_INFO("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 195                 LOG_INFO(reason, "\n");
 196
 197 LABEL(skip)
 198         }
 199 }
 200
 201 void OnlineBanList_Think(entity this)
 202 {
 203         float argc;
 204         string uri;
 205         float i, n;
 206
 207         if(autocvar_g_ban_sync_uri == "")
 208                 goto killme;
 209         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
 210                 goto killme;
 211         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
 212         if(argc == 0)
 213                 goto killme;
 214
 215         if(OnlineBanList_Servers)
 216                 strunzone(OnlineBanList_Servers);
 217         OnlineBanList_Servers = argv(0);
 218         for(i = 1; i < argc; ++i)
 219                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 220         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 221
 222         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
 223         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 224
 225         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
 226
 227         n = tokenize_console(autocvar_g_ban_sync_uri);
 228         if(n >= MAX_IPBAN_URIS)
 229                 n = MAX_IPBAN_URIS;
 230         for(i = 0; i < n; ++i)
 231         {
 232                 if(OnlineBanList_RequestWaiting[i])
 233                         continue;
 234                 OnlineBanList_RequestWaiting[i] = 1;
 235                 if(strstrofs(argv(i), "?", 0) >= 0)
 236                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 237                 else
 238                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 239         }
 240
 241         if(autocvar_g_ban_sync_interval > 0)
 242                 this.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
 243         else
 244                 goto killme;
 245         return;
 246
 247 LABEL(killme)
 248         delete(this);
 249 }
 250
 251 const float BAN_MAX = 256;
 252 float ban_loaded;
 253 string ban_ip[BAN_MAX];
 254 float ban_expire[BAN_MAX];
 255 float ban_count;
 256
 257 string ban_ip1;
 258 string ban_ip2;
 259 string ban_ip3;
 260 string ban_ip4;
 261 string ban_idfp;
 262
 263 void Ban_SaveBans()
 264 {
 265         string out;
 266         float i;
 267
 268         if(!ban_loaded)
 269                 return;
 270
 271         // version of list
 272         out = "1";
 273         for(i = 0; i < ban_count; ++i)
 274         {
 275                 if(time > ban_expire[i])
 276                         continue;
 277                 out = strcat(out, " ", ban_ip[i]);
 278                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 279         }
 280         if(strlen(out) <= 1) // no real entries
 281                 cvar_set("g_banned_list", "");
 282         else
 283                 cvar_set("g_banned_list", out);
 284 }
 285
 286 float Ban_Delete(float i)
 287 {
 288         if(i < 0)
 289                 return false;
 290         if(i >= ban_count)
 291                 return false;
 292         if(ban_expire[i] == 0)
 293                 return false;
 294         if(ban_expire[i] > 0)
 295         {
 296                 OnlineBanList_SendUnban(ban_ip[i]);
 297                 strunzone(ban_ip[i]);
 298         }
 299         ban_expire[i] = 0;
 300         ban_ip[i] = "";
 301         Ban_SaveBans();
 302         return true;
 303 }
 304
 305 void Ban_LoadBans()
 306 {
 307         float i, n;
 308         for(i = 0; i < ban_count; ++i)
 309                 Ban_Delete(i);
 310         ban_count = 0;
 311         ban_loaded = true;
 312         n = tokenize_console(autocvar_g_banned_list);
 313         if(stof(argv(0)) == 1)
 314         {
 315                 ban_count = (n - 1) / 2;
 316                 for(i = 0; i < ban_count; ++i)
 317                 {
 318                         ban_ip[i] = strzone(argv(2*i+1));
 319                         ban_expire[i] = time + stof(argv(2*i+2));
 320                 }
 321         }
 322
 323         entity e = new(bansyncer);
 324         setthink(e, OnlineBanList_Think);
 325         e.nextthink = time + 1;
 326 }
 327
 328 void Ban_View()
 329 {
 330         float i, n;
 331         string msg;
 332
 333         LOG_INFO("^2Listing all existing active bans:\n");
 334
 335         n = 0;
 336         for(i = 0; i < ban_count; ++i)
 337         {
 338                 if(time > ban_expire[i])
 339                         continue;
 340
 341                 ++n; // total number of existing bans
 342
 343                 msg = strcat("#", ftos(i), ": ");
 344                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 345                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 346
 347                 LOG_INFO("  ", msg, "\n");
 348         }
 349
 350         LOG_INFO("^2Done listing all active (", ftos(n), ") bans.\n");
 351 }
 352
 353 float Ban_GetClientIP(entity client)
 354 {
 355         // we can't use tokenizing here, as this is called during ban list parsing
 356         float i1, i2, i3, i4;
 357         string s;
 358
 359         if(client.crypto_idfp_signed)
 360                 ban_idfp = client.crypto_idfp;
 361         else
 362                 ban_idfp = string_null;
 363
 364         s = client.netaddress;
 365
 366         i1 = strstrofs(s, ".", 0);
 367         if(i1 < 0)
 368                 goto ipv6;
 369         i2 = strstrofs(s, ".", i1 + 1);
 370         if(i2 < 0)
 371                 return false;
 372         i3 = strstrofs(s, ".", i2 + 1);
 373         if(i3 < 0)
 374                 return false;
 375         i4 = strstrofs(s, ".", i3 + 1);
 376         if(i4 >= 0)
 377                 s = substring(s, 0, i4);
 378
 379         ban_ip1 = substring(s, 0, i1); // 8
 380         ban_ip2 = substring(s, 0, i2); // 16
 381         ban_ip3 = substring(s, 0, i3); // 24
 382         ban_ip4 = strcat1(s); // 32
 383         return true;
 384
 385 LABEL(ipv6)
 386         i1 = strstrofs(s, ":", 0);
 387         if(i1 < 0)
 388                 return false;
 389         i1 = strstrofs(s, ":", i1 + 1);
 390         if(i1 < 0)
 391                 return false;
 392         i2 = strstrofs(s, ":", i1 + 1);
 393         if(i2 < 0)
 394                 return false;
 395         i3 = strstrofs(s, ":", i2 + 1);
 396         if(i3 < 0)
 397                 return false;
 398
 399         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 400         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 401         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 402
 403         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 404                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 405         else
 406                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 407
 408         return true;
 409 }
 410
 411 float Ban_IsClientBanned(entity client, float idx)
 412 {
 413         float i, b, e, ipbanned;
 414         if(!ban_loaded)
 415                 Ban_LoadBans();
 416         if(!Ban_GetClientIP(client))
 417                 return false;
 418         if(idx < 0)
 419         {
 420                 b = 0;
 421                 e = ban_count;
 422         }
 423         else
 424         {
 425                 b = idx;
 426                 e = idx + 1;
 427         }
 428         ipbanned = false;
 429         for(i = b; i < e; ++i)
 430         {
 431                 string s;
 432                 if(time > ban_expire[i])
 433                         continue;
 434                 s = ban_ip[i];
 435                 if(ban_ip1 == s) ipbanned = true;
 436                 if(ban_ip2 == s) ipbanned = true;
 437                 if(ban_ip3 == s) ipbanned = true;
 438                 if(ban_ip4 == s) ipbanned = true;
 439                 if(ban_idfp == s) return true;
 440         }
 441         if(ipbanned)
 442         {
 443                 if(!autocvar_g_banned_list_idmode)
 444                         return true;
 445                 if (!ban_idfp)
 446                         return true;
 447         }
 448         return false;
 449 }
 450
 451 bool Ban_MaybeEnforceBan(entity client)
 452 {
 453         if (Ban_IsClientBanned(client, -1))
 454         {
 455                 string s = sprintf("^1NOTE:^7 banned client %s just tried to enter\n", client.netaddress);
 456                 dropclient(client);
 457                 bprint(s);
 458                 return true;
 459         }
 460         return false;
 461 }
 462
 463 .bool ban_checked;
 464 bool Ban_MaybeEnforceBanOnce(entity client)
 465 {
 466         if (client.ban_checked) return false;
 467         client.ban_checked = true;
 468         return Ban_MaybeEnforceBan(client);
 469 }
 470
 471 string Ban_Enforce(float j, string reason)
 472 {
 473         string s;
 474
 475         // Enforce our new ban
 476         s = "";
 477         FOREACH_CLIENTSLOT(IS_REAL_CLIENT(it),
 478         {
 479                 if(Ban_IsClientBanned(it, j))
 480                 {
 481                         if(reason != "")
 482                         {
 483                                 if(s == "")
 484                                         reason = strcat(reason, ": affects ");
 485                                 else
 486                                         reason = strcat(reason, ", ");
 487                                 reason = strcat(reason, it.netname);
 488                         }
 489                         s = strcat(s, "^1NOTE:^7 banned client ", it.netaddress, "^7 has to go\n");
 490                         dropclient(it);
 491                 }
 492         });
 493         bprint(s);
 494
 495         return reason;
 496 }
 497
 498 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 499 {
 500         float i;
 501         float j;
 502         float bestscore;
 503
 504         // already banned?
 505         for(i = 0; i < ban_count; ++i)
 506                 if(ban_ip[i] == ip)
 507                 {
 508                         // prolong the ban
 509                         if(time + bantime > ban_expire[i])
 510                         {
 511                                 ban_expire[i] = time + bantime;
 512                                 LOG_TRACE(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now");
 513                         }
 514                         else
 515                                 LOG_TRACE(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now");
 516
 517                         // and enforce
 518                         reason = Ban_Enforce(i, reason);
 519
 520                         // and abort
 521                         if(dosync)
 522                                 if(reason != "")
 523                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 524                                                 OnlineBanList_SendBan(ip, bantime, reason);
 525
 526                         return false;
 527                 }
 528
 529         // do we have a free slot?
 530         for(i = 0; i < ban_count; ++i)
 531                 if(time > ban_expire[i])
 532                         break;
 533         // no free slot? Then look for the one who would get unbanned next
 534         if(i >= BAN_MAX)
 535         {
 536                 i = 0;
 537                 bestscore = ban_expire[i];
 538                 for(j = 1; j < ban_count; ++j)
 539                 {
 540                         if(ban_expire[j] < bestscore)
 541                         {
 542                                 i = j;
 543                                 bestscore = ban_expire[i];
 544                         }
 545                 }
 546         }
 547         // if we replace someone, will we be banned longer than him (so long-term
 548         // bans never get overridden by short-term bans)
 549         if(i < ban_count)
 550         if(ban_expire[i] > time + bantime)
 551         {
 552                 LOG_INFO(ip, " could not get banned due to no free ban slot\n");
 553                 return false;
 554         }
 555         // okay, insert our new victim as i
 556         Ban_Delete(i);
 557         LOG_TRACE(ip, " has been banned for ", ftos(bantime), " seconds");
 558         ban_expire[i] = time + bantime;
 559         ban_ip[i] = strzone(ip);
 560         ban_count = max(ban_count, i + 1);
 561
 562         Ban_SaveBans();
 563
 564         reason = Ban_Enforce(i, reason);
 565
 566         // and abort
 567         if(dosync)
 568                 if(reason != "")
 569                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 570                                 OnlineBanList_SendBan(ip, bantime, reason);
 571
 572         return true;
 573 }
 574
 575 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 576 {
 577         string ip, id;
 578         if(!Ban_GetClientIP(client))
 579         {
 580                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 581                 dropclient(client);
 582                 return;
 583         }
 584
 585         // who to ban?
 586         switch(masksize)
 587         {
 588                 case 1:
 589                         ip = strcat1(ban_ip1);
 590                         break;
 591                 case 2:
 592                         ip = strcat1(ban_ip2);
 593                         break;
 594                 case 3:
 595                         ip = strcat1(ban_ip3);
 596                         break;
 597                 case 4:
 598                 default:
 599                         ip = strcat1(ban_ip4);
 600                         break;
 601         }
 602         if(ban_idfp)
 603                 id = strcat1(ban_idfp);
 604         else
 605                 id = string_null;
 606
 607         Ban_Insert(ip, bantime, reason, 1);
 608         if(id)
 609                 Ban_Insert(id, bantime, reason, 1);
 610         /*
 611          * not needed, as we enforce the ban in Ban_Insert anyway
 612         // and kick him
 613         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 614         dropclient(client);
 615          */
 616 }