qcsrc/server/ipban.qc

   1 #include "ipban.qh"
   2
   3 #include "autocvars.qh"
   4 #include "command/banning.qh"
   5 #include "defs.qh"
   6 #include "../common/constants.qh"
   7 #include "../common/util.qh"
   8
   9 /*
  10  * Protocol of online ban list:
  11  *
  12  * - Reporting a ban:
  13  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
  14  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
  15  * - Removing a ban:
  16  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
  17  * - Querying the ban list
  18  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  19  *
  20  *     shows the bans from the listed servers, and possibly others.
  21  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  22  *     newline ONLY (no carriage return):
  23  *
  24  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  25  *     time left in seconds
  26  *     reason of the ban
  27  *     server IP that registered the ban
  28  */
  29
  30 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
  31
  32 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  33
  34 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  35 {
  36         string uri;
  37         float i, n;
  38
  39         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
  40         uri = strcat(uri, "&ip=", uri_escape(ip));
  41         uri = strcat(uri, "&duration=", ftos(bantime));
  42         uri = strcat(uri, "&reason=", uri_escape(reason));
  43
  44         n = tokenize_console(autocvar_g_ban_sync_uri);
  45         if(n >= MAX_IPBAN_URIS)
  46                 n = MAX_IPBAN_URIS;
  47         for(i = 0; i < n; ++i)
  48         {
  49                 if(strstrofs(argv(i), "?", 0) >= 0)
  50                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  51                 else
  52                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  53         }
  54 }
  55
  56 void OnlineBanList_SendUnban(string ip)
  57 {
  58         string uri;
  59         float i, n;
  60
  61         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
  62         uri = strcat(uri, "&ip=", uri_escape(ip));
  63
  64         n = tokenize_console(autocvar_g_ban_sync_uri);
  65         if(n >= MAX_IPBAN_URIS)
  66                 n = MAX_IPBAN_URIS;
  67         for(i = 0; i < n; ++i)
  68         {
  69                 if(strstrofs(argv(i), "?", 0) >= 0)
  70                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  71                 else
  72                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  73         }
  74 }
  75
  76 string OnlineBanList_Servers;
  77 float OnlineBanList_Timeout;
  78 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  79
  80 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  81 {
  82         float n, i, j, l;
  83         string ip;
  84         float timeleft;
  85         string reason;
  86         string serverip;
  87         float syncinterval;
  88         string uri;
  89
  90         id -= URI_GET_IPBAN;
  91
  92         if(id >= MAX_IPBAN_URIS)
  93         {
  94                 LOG_INFO("Received ban list for invalid ID\n");
  95                 return;
  96         }
  97
  98         tokenize_console(autocvar_g_ban_sync_uri);
  99         uri = argv(id);
 100
 101         LOG_INFO("Received ban list from ", uri, ": ");
 102
 103         if(OnlineBanList_RequestWaiting[id] == 0)
 104         {
 105                 LOG_INFO("rejected (unexpected)\n");
 106                 return;
 107         }
 108
 109         OnlineBanList_RequestWaiting[id] = 0;
 110
 111         if(time > OnlineBanList_Timeout)
 112         {
 113                 LOG_INFO("rejected (too late)\n");
 114                 return;
 115         }
 116
 117         syncinterval = autocvar_g_ban_sync_interval;
 118         if(syncinterval == 0)
 119         {
 120                 LOG_INFO("rejected (syncing disabled)\n");
 121                 return;
 122         }
 123         if(syncinterval > 0)
 124                 syncinterval *= 60;
 125
 126         if(status != 0)
 127         {
 128                 LOG_INFO("error: status is ", ftos(status), "\n");
 129                 return;
 130         }
 131
 132         if(substring(data, 0, 1) == "<")
 133         {
 134                 LOG_INFO("error: received HTML instead of a ban list\n");
 135                 return;
 136         }
 137
 138         if(strstrofs(data, "\r", 0) != -1)
 139         {
 140                 LOG_INFO("error: received carriage returns\n");
 141                 return;
 142         }
 143
 144         if(data == "")
 145                 n = 0;
 146         else
 147                 n = tokenizebyseparator(data, "\n");
 148
 149         if((n % 4) != 0)
 150         {
 151                 LOG_INFO("error: received invalid item count: ", ftos(n), "\n");
 152                 return;
 153         }
 154
 155         LOG_INFO("OK, ", ftos(n / 4), " items\n");
 156
 157         for(i = 0; i < n; i += 4)
 158         {
 159                 ip = argv(i);
 160                 timeleft = stof(argv(i + 1));
 161                 reason = argv(i + 2);
 162                 serverip = argv(i + 3);
 163
 164                 LOG_TRACE("received ban list item ", ftos(i / 4), ": ip=", ip);
 165                 LOG_TRACE(" timeleft=", ftos(timeleft), " reason=", reason);
 166                 LOG_TRACE(" serverip=", serverip, "\n");
 167
 168                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
 169                 if(timeleft < 0)
 170                         continue;
 171
 172                 l = strlen(ip);
 173                 if(l != 44) // length 44 is a cryptographic ID
 174                 {
 175                         for(j = 0; j < l; ++j)
 176                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 177                                 {
 178                                         LOG_INFO("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 179                                         goto skip;
 180                                 }
 181                 }
 182
 183                 if(autocvar_g_ban_sync_trusted_servers_verify)
 184                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 185                                 continue;
 186
 187                 if(syncinterval > 0)
 188                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 189                         // the ban will be prolonged on the next sync
 190                         // or expire 5 seconds after the next timeout
 191                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 192                 LOG_INFO("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 193                 LOG_INFO(reason, "\n");
 194
 195 LABEL(skip)
 196         }
 197 }
 198
 199 void OnlineBanList_Think(entity this)
 200 {
 201         float argc;
 202         string uri;
 203         float i, n;
 204
 205         if(autocvar_g_ban_sync_uri == "")
 206                 goto killme;
 207         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
 208                 goto killme;
 209         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
 210         if(argc == 0)
 211                 goto killme;
 212
 213         if(OnlineBanList_Servers)
 214                 strunzone(OnlineBanList_Servers);
 215         OnlineBanList_Servers = argv(0);
 216         for(i = 1; i < argc; ++i)
 217                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 218         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 219
 220         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
 221         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 222
 223         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
 224
 225         n = tokenize_console(autocvar_g_ban_sync_uri);
 226         if(n >= MAX_IPBAN_URIS)
 227                 n = MAX_IPBAN_URIS;
 228         for(i = 0; i < n; ++i)
 229         {
 230                 if(OnlineBanList_RequestWaiting[i])
 231                         continue;
 232                 OnlineBanList_RequestWaiting[i] = 1;
 233                 if(strstrofs(argv(i), "?", 0) >= 0)
 234                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 235                 else
 236                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 237         }
 238
 239         if(autocvar_g_ban_sync_interval > 0)
 240                 this.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
 241         else
 242                 goto killme;
 243         return;
 244
 245 LABEL(killme)
 246         remove(this);
 247 }
 248
 249 const float BAN_MAX = 256;
 250 float ban_loaded;
 251 string ban_ip[BAN_MAX];
 252 float ban_expire[BAN_MAX];
 253 float ban_count;
 254
 255 string ban_ip1;
 256 string ban_ip2;
 257 string ban_ip3;
 258 string ban_ip4;
 259 string ban_idfp;
 260
 261 void Ban_SaveBans()
 262 {
 263         string out;
 264         float i;
 265
 266         if(!ban_loaded)
 267                 return;
 268
 269         // version of list
 270         out = "1";
 271         for(i = 0; i < ban_count; ++i)
 272         {
 273                 if(time > ban_expire[i])
 274                         continue;
 275                 out = strcat(out, " ", ban_ip[i]);
 276                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 277         }
 278         if(strlen(out) <= 1) // no real entries
 279                 cvar_set("g_banned_list", "");
 280         else
 281                 cvar_set("g_banned_list", out);
 282 }
 283
 284 float Ban_Delete(float i)
 285 {
 286         if(i < 0)
 287                 return false;
 288         if(i >= ban_count)
 289                 return false;
 290         if(ban_expire[i] == 0)
 291                 return false;
 292         if(ban_expire[i] > 0)
 293         {
 294                 OnlineBanList_SendUnban(ban_ip[i]);
 295                 strunzone(ban_ip[i]);
 296         }
 297         ban_expire[i] = 0;
 298         ban_ip[i] = "";
 299         Ban_SaveBans();
 300         return true;
 301 }
 302
 303 void Ban_LoadBans()
 304 {
 305         float i, n;
 306         for(i = 0; i < ban_count; ++i)
 307                 Ban_Delete(i);
 308         ban_count = 0;
 309         ban_loaded = true;
 310         n = tokenize_console(autocvar_g_banned_list);
 311         if(stof(argv(0)) == 1)
 312         {
 313                 ban_count = (n - 1) / 2;
 314                 for(i = 0; i < ban_count; ++i)
 315                 {
 316                         ban_ip[i] = strzone(argv(2*i+1));
 317                         ban_expire[i] = time + stof(argv(2*i+2));
 318                 }
 319         }
 320
 321         entity e = new(bansyncer);
 322         setthink(e, OnlineBanList_Think);
 323         e.nextthink = time + 1;
 324 }
 325
 326 void Ban_View()
 327 {
 328         float i, n;
 329         string msg;
 330
 331         LOG_INFO("^2Listing all existing active bans:\n");
 332
 333         n = 0;
 334         for(i = 0; i < ban_count; ++i)
 335         {
 336                 if(time > ban_expire[i])
 337                         continue;
 338
 339                 ++n; // total number of existing bans
 340
 341                 msg = strcat("#", ftos(i), ": ");
 342                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 343                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 344
 345                 LOG_INFO("  ", msg, "\n");
 346         }
 347
 348         LOG_INFO("^2Done listing all active (", ftos(n), ") bans.\n");
 349 }
 350
 351 float Ban_GetClientIP(entity client)
 352 {
 353         // we can't use tokenizing here, as this is called during ban list parsing
 354         float i1, i2, i3, i4;
 355         string s;
 356
 357         if(client.crypto_idfp_signed)
 358                 ban_idfp = client.crypto_idfp;
 359         else
 360                 ban_idfp = string_null;
 361
 362         s = client.netaddress;
 363
 364         i1 = strstrofs(s, ".", 0);
 365         if(i1 < 0)
 366                 goto ipv6;
 367         i2 = strstrofs(s, ".", i1 + 1);
 368         if(i2 < 0)
 369                 return false;
 370         i3 = strstrofs(s, ".", i2 + 1);
 371         if(i3 < 0)
 372                 return false;
 373         i4 = strstrofs(s, ".", i3 + 1);
 374         if(i4 >= 0)
 375                 s = substring(s, 0, i4);
 376
 377         ban_ip1 = substring(s, 0, i1); // 8
 378         ban_ip2 = substring(s, 0, i2); // 16
 379         ban_ip3 = substring(s, 0, i3); // 24
 380         ban_ip4 = strcat1(s); // 32
 381         return true;
 382
 383 LABEL(ipv6)
 384         i1 = strstrofs(s, ":", 0);
 385         if(i1 < 0)
 386                 return false;
 387         i1 = strstrofs(s, ":", i1 + 1);
 388         if(i1 < 0)
 389                 return false;
 390         i2 = strstrofs(s, ":", i1 + 1);
 391         if(i2 < 0)
 392                 return false;
 393         i3 = strstrofs(s, ":", i2 + 1);
 394         if(i3 < 0)
 395                 return false;
 396
 397         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 398         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 399         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 400
 401         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 402                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 403         else
 404                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 405
 406         return true;
 407 }
 408
 409 float Ban_IsClientBanned(entity client, float idx)
 410 {
 411         float i, b, e, ipbanned;
 412         if(!ban_loaded)
 413                 Ban_LoadBans();
 414         if(!Ban_GetClientIP(client))
 415                 return false;
 416         if(idx < 0)
 417         {
 418                 b = 0;
 419                 e = ban_count;
 420         }
 421         else
 422         {
 423                 b = idx;
 424                 e = idx + 1;
 425         }
 426         ipbanned = false;
 427         for(i = b; i < e; ++i)
 428         {
 429                 string s;
 430                 if(time > ban_expire[i])
 431                         continue;
 432                 s = ban_ip[i];
 433                 if(ban_ip1 == s) ipbanned = true;
 434                 if(ban_ip2 == s) ipbanned = true;
 435                 if(ban_ip3 == s) ipbanned = true;
 436                 if(ban_ip4 == s) ipbanned = true;
 437                 if(ban_idfp == s) return true;
 438         }
 439         if(ipbanned)
 440         {
 441                 if(!autocvar_g_banned_list_idmode)
 442                         return true;
 443                 if (!ban_idfp)
 444                         return true;
 445         }
 446         return false;
 447 }
 448
 449 bool Ban_MaybeEnforceBan(entity client)
 450 {
 451         if (Ban_IsClientBanned(client, -1))
 452         {
 453                 string s = sprintf("^1NOTE:^7 banned client %s just tried to enter\n", client.netaddress);
 454                 dropclient(client);
 455                 bprint(s);
 456                 return true;
 457         }
 458         return false;
 459 }
 460
 461 .bool ban_checked;
 462 bool Ban_MaybeEnforceBanOnce(entity client)
 463 {
 464         if (client.ban_checked) return false;
 465         client.ban_checked = true;
 466         return Ban_MaybeEnforceBan(client);
 467 }
 468
 469 string Ban_Enforce(float j, string reason)
 470 {
 471         string s;
 472
 473         // Enforce our new ban
 474         s = "";
 475         FOREACH_CLIENTSLOT(IS_REAL_CLIENT(it),
 476         {
 477                 if(Ban_IsClientBanned(it, j))
 478                 {
 479                         if(reason != "")
 480                         {
 481                                 if(s == "")
 482                                         reason = strcat(reason, ": affects ");
 483                                 else
 484                                         reason = strcat(reason, ", ");
 485                                 reason = strcat(reason, it.netname);
 486                         }
 487                         s = strcat(s, "^1NOTE:^7 banned client ", it.netaddress, "^7 has to go\n");
 488                         dropclient(it);
 489                 }
 490         });
 491         bprint(s);
 492
 493         return reason;
 494 }
 495
 496 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 497 {
 498         float i;
 499         float j;
 500         float bestscore;
 501
 502         // already banned?
 503         for(i = 0; i < ban_count; ++i)
 504                 if(ban_ip[i] == ip)
 505                 {
 506                         // prolong the ban
 507                         if(time + bantime > ban_expire[i])
 508                         {
 509                                 ban_expire[i] = time + bantime;
 510                                 LOG_TRACE(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 511                         }
 512                         else
 513                                 LOG_TRACE(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 514
 515                         // and enforce
 516                         reason = Ban_Enforce(i, reason);
 517
 518                         // and abort
 519                         if(dosync)
 520                                 if(reason != "")
 521                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 522                                                 OnlineBanList_SendBan(ip, bantime, reason);
 523
 524                         return false;
 525                 }
 526
 527         // do we have a free slot?
 528         for(i = 0; i < ban_count; ++i)
 529                 if(time > ban_expire[i])
 530                         break;
 531         // no free slot? Then look for the one who would get unbanned next
 532         if(i >= BAN_MAX)
 533         {
 534                 i = 0;
 535                 bestscore = ban_expire[i];
 536                 for(j = 1; j < ban_count; ++j)
 537                 {
 538                         if(ban_expire[j] < bestscore)
 539                         {
 540                                 i = j;
 541                                 bestscore = ban_expire[i];
 542                         }
 543                 }
 544         }
 545         // if we replace someone, will we be banned longer than him (so long-term
 546         // bans never get overridden by short-term bans)
 547         if(i < ban_count)
 548         if(ban_expire[i] > time + bantime)
 549         {
 550                 LOG_INFO(ip, " could not get banned due to no free ban slot\n");
 551                 return false;
 552         }
 553         // okay, insert our new victim as i
 554         Ban_Delete(i);
 555         LOG_TRACE(ip, " has been banned for ", ftos(bantime), " seconds\n");
 556         ban_expire[i] = time + bantime;
 557         ban_ip[i] = strzone(ip);
 558         ban_count = max(ban_count, i + 1);
 559
 560         Ban_SaveBans();
 561
 562         reason = Ban_Enforce(i, reason);
 563
 564         // and abort
 565         if(dosync)
 566                 if(reason != "")
 567                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 568                                 OnlineBanList_SendBan(ip, bantime, reason);
 569
 570         return true;
 571 }
 572
 573 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 574 {
 575         string ip, id;
 576         if(!Ban_GetClientIP(client))
 577         {
 578                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 579                 dropclient(client);
 580                 return;
 581         }
 582
 583         // who to ban?
 584         switch(masksize)
 585         {
 586                 case 1:
 587                         ip = strcat1(ban_ip1);
 588                         break;
 589                 case 2:
 590                         ip = strcat1(ban_ip2);
 591                         break;
 592                 case 3:
 593                         ip = strcat1(ban_ip3);
 594                         break;
 595                 case 4:
 596                 default:
 597                         ip = strcat1(ban_ip4);
 598                         break;
 599         }
 600         if(ban_idfp)
 601                 id = strcat1(ban_idfp);
 602         else
 603                 id = string_null;
 604
 605         Ban_Insert(ip, bantime, reason, 1);
 606         if(id)
 607                 Ban_Insert(id, bantime, reason, 1);
 608         /*
 609          * not needed, as we enforce the ban in Ban_Insert anyway
 610         // and kick him
 611         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 612         dropclient(client);
 613          */
 614 }