qcsrc/server/ipban.qc

   1 /*
   2  * Protocol of online ban list:
   3  *
   4  * - Reporting a ban:
   5  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
   6  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
   7  * - Removing a ban:
   8  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
   9  * - Querying the ban list
  10  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
  11  *
  12  *     shows the bans from the listed servers, and possibly others.
  13  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
  14  *     newline ONLY (no carriage return):
  15  *
  16  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
  17  *     time left in seconds
  18  *     reason of the ban
  19  *     server IP that registered the ban
  20  */
  21
  22 float Ban_Insert(string ip, float bantime, string reason, float dosync);
  23
  24 void OnlineBanList_SendBan(string ip, float bantime, string reason)
  25 {
  26         string uri;
  27         float i, n;
  28
  29         uri = strcat(     "action=ban&hostname=", uri_escape(cvar_string("hostname")));
  30         uri = strcat(uri, "&ip=", uri_escape(ip));
  31         uri = strcat(uri, "&duration=", ftos(bantime));
  32         uri = strcat(uri, "&reason=", uri_escape(reason));
  33
  34         n = tokenize_console(cvar_string("g_ban_sync_uri"));
  35         if(n >= MAX_IPBAN_URIS)
  36                 n = MAX_IPBAN_URIS;
  37         for(i = 0; i < n; ++i)
  38         {
  39                 if(strstrofs(argv(i), "?", 0) >= 0)
  40                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  41                 else
  42                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  43         }
  44 }
  45
  46 void OnlineBanList_SendUnban(string ip)
  47 {
  48         string uri;
  49         float i, n;
  50
  51         uri = strcat(     "action=unban&hostname=", uri_escape(cvar_string("hostname")));
  52         uri = strcat(uri, "&ip=", uri_escape(ip));
  53
  54         n = tokenize_console(cvar_string("g_ban_sync_uri"));
  55         if(n >= MAX_IPBAN_URIS)
  56                 n = MAX_IPBAN_URIS;
  57         for(i = 0; i < n; ++i)
  58         {
  59                 if(strstrofs(argv(i), "?", 0) >= 0)
  60                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  61                 else
  62                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
  63         }
  64 }
  65
  66 string OnlineBanList_Servers;
  67 float OnlineBanList_Timeout;
  68 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
  69
  70 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
  71 {
  72         float n, i, j, l;
  73         string ip;
  74         float timeleft;
  75         string reason;
  76         string serverip;
  77         float syncinterval;
  78         string uri;
  79
  80         id -= URI_GET_IPBAN;
  81
  82         if(id >= MAX_IPBAN_URIS)
  83         {
  84                 print("Received ban list for invalid ID\n");
  85                 return;
  86         }
  87
  88         tokenize_console(cvar_string("g_ban_sync_uri"));
  89         uri = argv(id);
  90
  91         print("Received ban list from ", uri, ": ");
  92
  93         if(OnlineBanList_RequestWaiting[id] == 0)
  94         {
  95                 print("rejected (unexpected)\n");
  96                 return;
  97         }
  98
  99         OnlineBanList_RequestWaiting[id] = 0;
 100
 101         if(time > OnlineBanList_Timeout)
 102         {
 103                 print("rejected (too late)\n");
 104                 return;
 105         }
 106
 107         syncinterval = cvar("g_ban_sync_interval");
 108         if(syncinterval == 0)
 109         {
 110                 print("rejected (syncing disabled)\n");
 111                 return;
 112         }
 113         if(syncinterval > 0)
 114                 syncinterval *= 60;
 115
 116         if(status != 0)
 117         {
 118                 print("error: status is ", ftos(status), "\n");
 119                 return;
 120         }
 121
 122         if(substring(data, 0, 1) == "<")
 123         {
 124                 print("error: received HTML instead of a ban list\n");
 125                 return;
 126         }
 127
 128         if(strstrofs(data, "\r", 0) != -1)
 129         {
 130                 print("error: received carriage returns\n");
 131                 return;
 132         }
 133
 134         if(data == "")
 135                 n = 0;
 136         else
 137                 n = tokenizebyseparator(data, "\n");
 138
 139         if(mod(n, 4) != 0)
 140         {
 141                 print("error: received invalid item count: ", ftos(n), "\n");
 142                 return;
 143         }
 144
 145         print("OK, ", ftos(n / 4), " items\n");
 146
 147         for(i = 0; i < n; i += 4)
 148         {
 149                 ip = argv(i);
 150                 timeleft = stof(argv(i + 1));
 151                 reason = argv(i + 2);
 152                 serverip = argv(i + 3);
 153
 154                 dprint("received ban list item ", ftos(i / 4), ": ip=", ip);
 155                 dprint(" timeleft=", ftos(timeleft), " reason=", reason);
 156                 dprint(" serverip=", serverip, "\n");
 157
 158                 timeleft -= 1.5 * cvar("g_ban_sync_timeout");
 159                 if(timeleft < 0)
 160                         continue;
 161
 162                 l = strlen(ip);
 163                 if(l != 44) // length 44 is a cryptographic ID
 164                 {
 165                         for(j = 0; j < l; ++j)
 166                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
 167                                 {
 168                                         print("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
 169                                         goto skip;
 170                                 }
 171                 }
 172
 173                 if(cvar("g_ban_sync_trusted_servers_verify"))
 174                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
 175                                 continue;
 176
 177                 if(syncinterval > 0)
 178                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
 179                         // the ban will be prolonged on the next sync
 180                         // or expire 5 seconds after the next timeout
 181                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
 182                 print("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
 183                 print(reason, "\n");
 184
 185 :skip
 186         }
 187 }
 188
 189 void OnlineBanList_Think()
 190 {
 191         float argc;
 192         string uri;
 193         float i, n;
 194
 195         if(cvar_string("g_ban_sync_uri") == "")
 196                 goto killme;
 197         if(cvar("g_ban_sync_interval") == 0) // < 0 is okay, it means "sync on level start only"
 198                 goto killme;
 199         argc = tokenize_console(cvar_string("g_ban_sync_trusted_servers"));
 200         if(argc == 0)
 201                 goto killme;
 202
 203         if(OnlineBanList_Servers)
 204                 strunzone(OnlineBanList_Servers);
 205         OnlineBanList_Servers = argv(0);
 206         for(i = 1; i < argc; ++i)
 207                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
 208         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
 209
 210         uri = strcat(     "action=list&hostname=", uri_escape(cvar_string("hostname")));
 211         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
 212
 213         OnlineBanList_Timeout = time + cvar("g_ban_sync_timeout");
 214
 215         n = tokenize_console(cvar_string("g_ban_sync_uri"));
 216         if(n >= MAX_IPBAN_URIS)
 217                 n = MAX_IPBAN_URIS;
 218         for(i = 0; i < n; ++i)
 219         {
 220                 if(OnlineBanList_RequestWaiting[i])
 221                         continue;
 222                 OnlineBanList_RequestWaiting[i] = 1;
 223                 if(strstrofs(argv(i), "?", 0) >= 0)
 224                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 225                 else
 226                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
 227         }
 228
 229         if(cvar("g_ban_sync_interval") > 0)
 230                 self.nextthink = time + max(60, cvar("g_ban_sync_interval") * 60);
 231         else
 232                 goto killme;
 233         return;
 234
 235 :killme
 236         remove(self);
 237 }
 238
 239 #define BAN_MAX 256
 240 float ban_loaded;
 241 string ban_ip[BAN_MAX];
 242 float ban_expire[BAN_MAX];
 243 float ban_count;
 244
 245 string ban_ip1;
 246 string ban_ip2;
 247 string ban_ip3;
 248 string ban_ip4;
 249 string ban_idfp;
 250
 251 void Ban_SaveBans()
 252 {
 253         string out;
 254         float i;
 255
 256         if(!ban_loaded)
 257                 return;
 258
 259         // version of list
 260         out = "1";
 261         for(i = 0; i < ban_count; ++i)
 262         {
 263                 if(time > ban_expire[i])
 264                         continue;
 265                 out = strcat(out, " ", ban_ip[i]);
 266                 out = strcat(out, " ", ftos(ban_expire[i] - time));
 267         }
 268         if(strlen(out) <= 1) // no real entries
 269                 cvar_set("g_banned_list", "");
 270         else
 271                 cvar_set("g_banned_list", out);
 272 }
 273
 274 float Ban_Delete(float i)
 275 {
 276         if(i < 0)
 277                 return FALSE;
 278         if(i >= ban_count)
 279                 return FALSE;
 280         if(ban_expire[i] == 0)
 281                 return FALSE;
 282         if(ban_expire[i] > 0)
 283         {
 284                 OnlineBanList_SendUnban(ban_ip[i]);
 285                 strunzone(ban_ip[i]);
 286         }
 287         ban_expire[i] = 0;
 288         ban_ip[i] = "";
 289         Ban_SaveBans();
 290         return TRUE;
 291 }
 292
 293 void Ban_LoadBans()
 294 {
 295         float i, n;
 296         for(i = 0; i < ban_count; ++i)
 297                 Ban_Delete(i);
 298         ban_count = 0;
 299         ban_loaded = TRUE;
 300         n = tokenize_console(cvar_string("g_banned_list"));
 301         if(stof(argv(0)) == 1)
 302         {
 303                 ban_count = (n - 1) / 2;
 304                 for(i = 0; i < ban_count; ++i)
 305                 {
 306                         ban_ip[i] = strzone(argv(2*i+1));
 307                         ban_expire[i] = time + stof(argv(2*i+2));
 308                 }
 309         }
 310
 311         entity e;
 312         e = spawn();
 313         e.classname = "bansyncer";
 314         e.think = OnlineBanList_Think;
 315         e.nextthink = time + 1;
 316 }
 317
 318 void Ban_View()
 319 {
 320         float i;
 321         string msg;
 322         for(i = 0; i < ban_count; ++i)
 323         {
 324                 if(time > ban_expire[i])
 325                         continue;
 326                 msg = strcat("#", ftos(i), ": ");
 327                 msg = strcat(msg, ban_ip[i], " is still banned for ");
 328                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
 329                 print(msg, "\n");
 330         }
 331 }
 332
 333 float Ban_GetClientIP(entity client)
 334 {
 335         // we can't use tokenizing here, as this is called during ban list parsing
 336         float i1, i2, i3, i4;
 337         string s;
 338
 339         if(client.crypto_keyfp)
 340                 ban_idfp = client.crypto_idfp;
 341         else
 342                 ban_idfp = string_null;
 343
 344         s = client.netaddress;
 345
 346         i1 = strstrofs(s, ".", 0);
 347         if(i1 < 0)
 348                 goto ipv6;
 349         i2 = strstrofs(s, ".", i1 + 1);
 350         if(i2 < 0)
 351                 return FALSE;
 352         i3 = strstrofs(s, ".", i2 + 1);
 353         if(i3 < 0)
 354                 return FALSE;
 355         i4 = strstrofs(s, ".", i3 + 1);
 356         if(i4 >= 0)
 357                 s = substring(s, 0, i4);
 358
 359         ban_ip1 = substring(s, 0, i1); // 8
 360         ban_ip2 = substring(s, 0, i2); // 16
 361         ban_ip3 = substring(s, 0, i3); // 24
 362         ban_ip4 = strcat1(s); // 32
 363         return TRUE;
 364
 365 :ipv6
 366         i1 = strstrofs(s, ":", 0);
 367         if(i1 < 0)
 368                 return FALSE;
 369         i1 = strstrofs(s, ":", i1 + 1);
 370         if(i1 < 0)
 371                 return FALSE;
 372         i2 = strstrofs(s, ":", i1 + 1);
 373         if(i2 < 0)
 374                 return FALSE;
 375         i3 = strstrofs(s, ":", i2 + 1);
 376         if(i3 < 0)
 377                 return FALSE;
 378
 379         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
 380         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
 381         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
 382
 383         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
 384                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
 385         else
 386                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
 387
 388         return TRUE;
 389 }
 390
 391 float Ban_IsClientBanned(entity client, float idx)
 392 {
 393         float i, b, e, ipbanned;
 394         if(!ban_loaded)
 395                 Ban_LoadBans();
 396         if(!Ban_GetClientIP(client))
 397                 return FALSE;
 398         if(idx < 0)
 399         {
 400                 b = 0;
 401                 e = ban_count;
 402         }
 403         else
 404         {
 405                 b = idx;
 406                 e = idx + 1;
 407         }
 408         ipbanned = FALSE;
 409         for(i = b; i < e; ++i)
 410         {
 411                 string s;
 412                 if(time > ban_expire[i])
 413                         continue;
 414                 s = ban_ip[i];
 415                 if(ban_ip1 == s) ipbanned = TRUE;
 416                 if(ban_ip2 == s) ipbanned = TRUE;
 417                 if(ban_ip3 == s) ipbanned = TRUE;
 418                 if(ban_ip4 == s) ipbanned = TRUE;
 419                 if(ban_idfp == s) return TRUE;
 420         }
 421         if(ipbanned)
 422                 if(!cvar("g_banned_list_idmode") || !ban_idfp)
 423                         return TRUE;
 424         return FALSE;
 425 }
 426
 427 float Ban_MaybeEnforceBan(entity client)
 428 {
 429         if(Ban_IsClientBanned(client, -1))
 430         {
 431                 string s;
 432                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
 433                 dropclient(client);
 434                 bprint(s);
 435                 return TRUE;
 436         }
 437         return FALSE;
 438 }
 439
 440 string Ban_Enforce(float i, string reason)
 441 {
 442         string s;
 443         entity e;
 444
 445         // Enforce our new ban
 446         s = "";
 447         FOR_EACH_REALCLIENT(e)
 448                 if(Ban_IsClientBanned(e, i))
 449                 {
 450                         if(reason != "")
 451                         {
 452                                 if(s == "")
 453                                         reason = strcat(reason, ": affects ");
 454                                 else
 455                                         reason = strcat(reason, ", ");
 456                                 reason = strcat(reason, e.netname);
 457                         }
 458                         s = strcat(s, "^1NOTE:^7 banned client ", e.netname, "^7 has to go\n");
 459                         dropclient(e);
 460                 }
 461         bprint(s);
 462
 463         return reason;
 464 }
 465
 466 float Ban_Insert(string ip, float bantime, string reason, float dosync)
 467 {
 468         float i;
 469         float j;
 470         float bestscore;
 471
 472         // already banned?
 473         for(i = 0; i < ban_count; ++i)
 474                 if(ban_ip[i] == ip)
 475                 {
 476                         // prolong the ban
 477                         if(time + bantime > ban_expire[i])
 478                         {
 479                                 ban_expire[i] = time + bantime;
 480                                 dprint(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
 481                         }
 482                         else
 483                                 dprint(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
 484
 485                         // and enforce
 486                         reason = Ban_Enforce(i, reason);
 487
 488                         // and abort
 489                         if(dosync)
 490                                 if(reason != "")
 491                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 492                                                 OnlineBanList_SendBan(ip, bantime, reason);
 493
 494                         return FALSE;
 495                 }
 496
 497         // do we have a free slot?
 498         for(i = 0; i < ban_count; ++i)
 499                 if(time > ban_expire[i])
 500                         break;
 501         // no free slot? Then look for the one who would get unbanned next
 502         if(i >= BAN_MAX)
 503         {
 504                 i = 0;
 505                 bestscore = ban_expire[i];
 506                 for(j = 1; j < ban_count; ++j)
 507                 {
 508                         if(ban_expire[j] < bestscore)
 509                         {
 510                                 i = j;
 511                                 bestscore = ban_expire[i];
 512                         }
 513                 }
 514         }
 515         // if we replace someone, will we be banned longer than him (so long-term
 516         // bans never get overridden by short-term bans)
 517         if(i < ban_count)
 518         if(ban_expire[i] > time + bantime)
 519         {
 520                 print(ip, " could not get banned due to no free ban slot\n");
 521                 return FALSE;
 522         }
 523         // okay, insert our new victim as i
 524         Ban_Delete(i);
 525         dprint(ip, " has been banned for ", ftos(bantime), " seconds\n");
 526         ban_expire[i] = time + bantime;
 527         ban_ip[i] = strzone(ip);
 528         ban_count = max(ban_count, i + 1);
 529
 530         Ban_SaveBans();
 531
 532         reason = Ban_Enforce(i, reason);
 533
 534         // and abort
 535         if(dosync)
 536                 if(reason != "")
 537                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
 538                                 OnlineBanList_SendBan(ip, bantime, reason);
 539
 540         return TRUE;
 541 }
 542
 543 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
 544 {
 545         if(!Ban_GetClientIP(client))
 546         {
 547                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
 548                 dropclient(client);
 549                 return;
 550         }
 551         // now ban him
 552         switch(masksize)
 553         {
 554                 case 1:
 555                         Ban_Insert(ban_ip1, bantime, reason, 1);
 556                         break;
 557                 case 2:
 558                         Ban_Insert(ban_ip2, bantime, reason, 1);
 559                         break;
 560                 case 3:
 561                         Ban_Insert(ban_ip3, bantime, reason, 1);
 562                         break;
 563                 case 4:
 564                 default:
 565                         Ban_Insert(ban_ip4, bantime, reason, 1);
 566                         break;
 567         }
 568         if(ban_idfp)
 569                 Ban_Insert(ban_idfp, bantime, reason, 1);
 570         /*
 571          * not needed, as we enforce the ban in Ban_Insert anyway
 572         // and kick him
 573         sprint(client, strcat("Kickbanned: ", reason, "\n"));
 574         dropclient(client);
 575          */
 576 }
 577
 578 float GameCommand_Ban(string command)
 579 {
 580         float argc;
 581         float bantime;
 582         entity client;
 583         float entno;
 584         float masksize;
 585         string reason;
 586         float reasonarg;
 587
 588         argc = tokenize_console(command);
 589         if(argv(0) == "help")
 590         {
 591                 print("  kickban # n m p reason - kickban player n for m seconds, using mask size p (1 to 4)\n");
 592                 print("  ban ip m reason - ban an IP or range (incomplete IP, like 1.2.3) for m seconds\n");
 593                 print("  bans - list all existing bans\n");
 594                 print("  unban n - delete the entry #n from the bans list\n");
 595                 return TRUE;
 596         }
 597         if(argv(0) == "kickban")
 598         {
 599 #define INITARG(c) reasonarg = c
 600 #define GETARG(v,d) if((argc > reasonarg) && ((v = stof(argv(reasonarg))) != 0)) ++reasonarg; else v = d
 601 #define RESTARG(v) if(argc > reasonarg) v = substring(command, argv_start_index(reasonarg), strlen(command) - argv_start_index(reasonarg)); else v = ""
 602                 if(argc >= 3)
 603                 {
 604                         entno = stof(argv(2));
 605                         if(entno > maxclients || entno < 1)
 606                                 return TRUE;
 607                         client = edict_num(entno);
 608
 609                         INITARG(3);
 610                         GETARG(bantime, cvar("g_ban_default_bantime"));
 611                         GETARG(masksize, cvar("g_ban_default_masksize"));
 612                         RESTARG(reason);
 613
 614                         Ban_KickBanClient(client, bantime, masksize, reason);
 615                         return TRUE;
 616                 }
 617         }
 618         else if(argv(0) == "ban")
 619         {
 620                 if(argc >= 2)
 621                 {
 622                         string ip;
 623                         ip = argv(1);
 624
 625                         INITARG(2);
 626                         GETARG(bantime, cvar("g_ban_default_bantime"));
 627                         RESTARG(reason);
 628
 629                         Ban_Insert(ip, bantime, reason, 1);
 630                         return TRUE;
 631                 }
 632 #undef INITARG
 633 #undef GETARG
 634 #undef RESTARG
 635         }
 636         else if(argv(0) == "bans")
 637         {
 638                 Ban_View();
 639                 return TRUE;
 640         }
 641         else if(argv(0) == "unban")
 642         {
 643                 if(argc >= 2)
 644                 {
 645                         float who;
 646                         who = stof(argv(1));
 647                         Ban_Delete(who);
 648                         return TRUE;
 649                 }
 650         }
 651         return FALSE;
 652 }