]> de.git.xonotic.org Git - xonotic/xonotic-data.pk3dir.git/blob - qcsrc/server/ipban.qc
Merge branch 'master' into mirceakitsune/universal_reload_system
[xonotic/xonotic-data.pk3dir.git] / qcsrc / server / ipban.qc
1 /*
2  * Protocol of online ban list:
3  *
4  * - Reporting a ban:
5  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
6  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
7  * - Removing a ban:
8  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
9  * - Querying the ban list
10  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
11  *     
12  *     shows the bans from the listed servers, and possibly others.
13  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
14  *     newline ONLY (no carriage return):
15  *
16  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
17  *     time left in seconds
18  *     reason of the ban
19  *     server IP that registered the ban
20  */
21
22 float Ban_Insert(string ip, float bantime, string reason, float dosync);
23
24 void OnlineBanList_SendBan(string ip, float bantime, string reason)
25 {
26         string uri;
27         float i, n;
28
29         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
30         uri = strcat(uri, "&ip=", uri_escape(ip));
31         uri = strcat(uri, "&duration=", ftos(bantime));
32         uri = strcat(uri, "&reason=", uri_escape(reason));
33
34         n = tokenize_console(autocvar_g_ban_sync_uri);
35         if(n >= MAX_IPBAN_URIS)
36                 n = MAX_IPBAN_URIS;
37         for(i = 0; i < n; ++i)
38         {
39                 if(strstrofs(argv(i), "?", 0) >= 0)
40                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
41                 else
42                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
43         }
44 }
45
46 void OnlineBanList_SendUnban(string ip)
47 {
48         string uri;
49         float i, n;
50
51         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
52         uri = strcat(uri, "&ip=", uri_escape(ip));
53
54         n = tokenize_console(autocvar_g_ban_sync_uri);
55         if(n >= MAX_IPBAN_URIS)
56                 n = MAX_IPBAN_URIS;
57         for(i = 0; i < n; ++i)
58         {
59                 if(strstrofs(argv(i), "?", 0) >= 0)
60                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
61                 else
62                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
63         }
64 }
65
66 string OnlineBanList_Servers;
67 float OnlineBanList_Timeout;
68 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
69
70 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
71 {
72         float n, i, j, l;
73         string ip;
74         float timeleft;
75         string reason;
76         string serverip;
77         float syncinterval;
78         string uri;
79
80         id -= URI_GET_IPBAN;
81
82         if(id >= MAX_IPBAN_URIS)
83         {
84                 print("Received ban list for invalid ID\n");
85                 return;
86         }
87
88         tokenize_console(autocvar_g_ban_sync_uri);
89         uri = argv(id);
90
91         print("Received ban list from ", uri, ": ");
92
93         if(OnlineBanList_RequestWaiting[id] == 0)
94         {
95                 print("rejected (unexpected)\n");
96                 return;
97         }
98
99         OnlineBanList_RequestWaiting[id] = 0;
100
101         if(time > OnlineBanList_Timeout)
102         {
103                 print("rejected (too late)\n");
104                 return;
105         }
106
107         syncinterval = autocvar_g_ban_sync_interval;
108         if(syncinterval == 0)
109         {
110                 print("rejected (syncing disabled)\n");
111                 return;
112         }
113         if(syncinterval > 0)
114                 syncinterval *= 60;
115         
116         if(status != 0)
117         {
118                 print("error: status is ", ftos(status), "\n");
119                 return;
120         }
121
122         if(substring(data, 0, 1) == "<")
123         {
124                 print("error: received HTML instead of a ban list\n");
125                 return;
126         }
127
128         if(strstrofs(data, "\r", 0) != -1)
129         {
130                 print("error: received carriage returns\n");
131                 return;
132         }
133
134         if(data == "")
135                 n = 0;
136         else
137                 n = tokenizebyseparator(data, "\n");
138
139         if(mod(n, 4) != 0)
140         {
141                 print("error: received invalid item count: ", ftos(n), "\n");
142                 return;
143         }
144
145         print("OK, ", ftos(n / 4), " items\n");
146
147         for(i = 0; i < n; i += 4)
148         {
149                 ip = argv(i);
150                 timeleft = stof(argv(i + 1));
151                 reason = argv(i + 2);
152                 serverip = argv(i + 3);
153
154                 dprint("received ban list item ", ftos(i / 4), ": ip=", ip);
155                 dprint(" timeleft=", ftos(timeleft), " reason=", reason);
156                 dprint(" serverip=", serverip, "\n");
157
158                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
159                 if(timeleft < 0)
160                         continue;
161
162                 l = strlen(ip);
163                 if(l != 44) // length 44 is a cryptographic ID
164                 {
165                         for(j = 0; j < l; ++j)
166                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
167                                 {
168                                         print("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
169                                         goto skip;
170                                 }
171                 }
172
173                 if(autocvar_g_ban_sync_trusted_servers_verify)
174                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
175                                 continue;
176
177                 if(syncinterval > 0)
178                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
179                         // the ban will be prolonged on the next sync
180                         // or expire 5 seconds after the next timeout
181                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
182                 print("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
183                 print(reason, "\n");
184
185 :skip
186         }
187 }
188
189 void OnlineBanList_Think()
190 {
191         float argc;
192         string uri;
193         float i, n;
194         
195         if(autocvar_g_ban_sync_uri == "")
196                 goto killme;
197         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
198                 goto killme;
199         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
200         if(argc == 0)
201                 goto killme;
202
203         if(OnlineBanList_Servers)
204                 strunzone(OnlineBanList_Servers);
205         OnlineBanList_Servers = argv(0);
206         for(i = 1; i < argc; ++i)
207                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
208         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
209         
210         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
211         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
212
213         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
214
215         n = tokenize_console(autocvar_g_ban_sync_uri);
216         if(n >= MAX_IPBAN_URIS)
217                 n = MAX_IPBAN_URIS;
218         for(i = 0; i < n; ++i)
219         {
220                 if(OnlineBanList_RequestWaiting[i])
221                         continue;
222                 OnlineBanList_RequestWaiting[i] = 1;
223                 if(strstrofs(argv(i), "?", 0) >= 0)
224                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
225                 else
226                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
227         }
228         
229         if(autocvar_g_ban_sync_interval > 0)
230                 self.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
231         else
232                 goto killme;
233         return;
234
235 :killme
236         remove(self);
237 }
238
239 #define BAN_MAX 256
240 float ban_loaded;
241 string ban_ip[BAN_MAX];
242 float ban_expire[BAN_MAX];
243 float ban_count;
244
245 string ban_ip1;
246 string ban_ip2;
247 string ban_ip3;
248 string ban_ip4;
249 string ban_idfp;
250
251 void Ban_SaveBans()
252 {
253         string out;
254         float i;
255
256         if(!ban_loaded)
257                 return;
258
259         // version of list
260         out = "1";
261         for(i = 0; i < ban_count; ++i)
262         {
263                 if(time > ban_expire[i])
264                         continue;
265                 out = strcat(out, " ", ban_ip[i]);
266                 out = strcat(out, " ", ftos(ban_expire[i] - time));
267         }
268         if(strlen(out) <= 1) // no real entries
269                 cvar_set("g_banned_list", "");
270         else
271                 cvar_set("g_banned_list", out);
272 }
273
274 float Ban_Delete(float i)
275 {
276         if(i < 0)
277                 return FALSE;
278         if(i >= ban_count)
279                 return FALSE;
280         if(ban_expire[i] == 0)
281                 return FALSE;
282         if(ban_expire[i] > 0)
283         {
284                 OnlineBanList_SendUnban(ban_ip[i]);
285                 strunzone(ban_ip[i]);
286         }
287         ban_expire[i] = 0;
288         ban_ip[i] = "";
289         Ban_SaveBans();
290         return TRUE;
291 }
292
293 void Ban_LoadBans()
294 {
295         float i, n;
296         for(i = 0; i < ban_count; ++i)
297                 Ban_Delete(i);
298         ban_count = 0;
299         ban_loaded = TRUE;
300         n = tokenize_console(autocvar_g_banned_list);
301         if(stof(argv(0)) == 1)
302         {
303                 ban_count = (n - 1) / 2;
304                 for(i = 0; i < ban_count; ++i)
305                 {
306                         ban_ip[i] = strzone(argv(2*i+1));
307                         ban_expire[i] = time + stof(argv(2*i+2));
308                 }
309         }
310
311         entity e;
312         e = spawn();
313         e.classname = "bansyncer";
314         e.think = OnlineBanList_Think;
315         e.nextthink = time + 1;
316 }
317
318 void Ban_View()
319 {
320         float i;
321         string msg;
322         for(i = 0; i < ban_count; ++i)
323         {
324                 if(time > ban_expire[i])
325                         continue;
326                 msg = strcat("#", ftos(i), ": ");
327                 msg = strcat(msg, ban_ip[i], " is still banned for ");
328                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
329                 print(msg, "\n");
330         }
331 }
332
333 float Ban_GetClientIP(entity client)
334 {
335         // we can't use tokenizing here, as this is called during ban list parsing
336         float i1, i2, i3, i4;
337         string s;
338
339         if(client.crypto_keyfp)
340                 ban_idfp = client.crypto_idfp;
341         else
342                 ban_idfp = string_null;
343
344         s = client.netaddress;
345
346         i1 = strstrofs(s, ".", 0);
347         if(i1 < 0)
348                 goto ipv6;
349         i2 = strstrofs(s, ".", i1 + 1);
350         if(i2 < 0)
351                 return FALSE;
352         i3 = strstrofs(s, ".", i2 + 1);
353         if(i3 < 0)
354                 return FALSE;
355         i4 = strstrofs(s, ".", i3 + 1);
356         if(i4 >= 0)
357                 s = substring(s, 0, i4);
358         
359         ban_ip1 = substring(s, 0, i1); // 8
360         ban_ip2 = substring(s, 0, i2); // 16
361         ban_ip3 = substring(s, 0, i3); // 24
362         ban_ip4 = strcat1(s); // 32
363         return TRUE;
364
365 :ipv6
366         i1 = strstrofs(s, ":", 0);
367         if(i1 < 0)
368                 return FALSE;
369         i1 = strstrofs(s, ":", i1 + 1);
370         if(i1 < 0)
371                 return FALSE;
372         i2 = strstrofs(s, ":", i1 + 1);
373         if(i2 < 0)
374                 return FALSE;
375         i3 = strstrofs(s, ":", i2 + 1);
376         if(i3 < 0)
377                 return FALSE;
378
379         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
380         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
381         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
382
383         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
384                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
385         else
386                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
387
388         return TRUE;
389 }
390
391 float Ban_IsClientBanned(entity client, float idx)
392 {
393         float i, b, e, ipbanned;
394         if(!ban_loaded)
395                 Ban_LoadBans();
396         if(!Ban_GetClientIP(client))
397                 return FALSE;
398         if(idx < 0)
399         {
400                 b = 0;
401                 e = ban_count;
402         }
403         else
404         {
405                 b = idx;
406                 e = idx + 1;
407         }
408         ipbanned = FALSE;
409         for(i = b; i < e; ++i)
410         {
411                 string s;
412                 if(time > ban_expire[i])
413                         continue;
414                 s = ban_ip[i];
415                 if(ban_ip1 == s) ipbanned = TRUE;
416                 if(ban_ip2 == s) ipbanned = TRUE;
417                 if(ban_ip3 == s) ipbanned = TRUE;
418                 if(ban_ip4 == s) ipbanned = TRUE;
419                 if(ban_idfp == s) return TRUE;
420         }
421         if(ipbanned)
422                 if(!autocvar_g_banned_list_idmode || !ban_idfp)
423                         return TRUE;
424         return FALSE;
425 }
426
427 float Ban_MaybeEnforceBan(entity client)
428 {
429         if(Ban_IsClientBanned(client, -1))
430         {
431                 string s;
432                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
433                 dropclient(client);
434                 bprint(s);
435                 return TRUE;
436         }
437         return FALSE;
438 }
439
440 string Ban_Enforce(float i, string reason)
441 {
442         string s;
443         entity e;
444
445         // Enforce our new ban
446         s = "";
447         FOR_EACH_REALCLIENT(e)
448                 if(Ban_IsClientBanned(e, i))
449                 {
450                         if(reason != "")
451                         {
452                                 if(s == "")
453                                         reason = strcat(reason, ": affects ");
454                                 else
455                                         reason = strcat(reason, ", ");
456                                 reason = strcat(reason, e.netname);
457                         }
458                         s = strcat(s, "^1NOTE:^7 banned client ", e.netname, "^7 has to go\n");
459                         dropclient(e);
460                 }
461         bprint(s);
462
463         return reason;
464 }
465
466 float Ban_Insert(string ip, float bantime, string reason, float dosync)
467 {
468         float i;
469         float j;
470         float bestscore;
471
472         // already banned?
473         for(i = 0; i < ban_count; ++i)
474                 if(ban_ip[i] == ip)
475                 {
476                         // prolong the ban
477                         if(time + bantime > ban_expire[i])
478                         {
479                                 ban_expire[i] = time + bantime;
480                                 dprint(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
481                         }
482                         else
483                                 dprint(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
484
485                         // and enforce
486                         reason = Ban_Enforce(i, reason);
487
488                         // and abort
489                         if(dosync)
490                                 if(reason != "")
491                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
492                                                 OnlineBanList_SendBan(ip, bantime, reason);
493
494                         return FALSE;
495                 }
496
497         // do we have a free slot?
498         for(i = 0; i < ban_count; ++i)
499                 if(time > ban_expire[i])
500                         break;
501         // no free slot? Then look for the one who would get unbanned next
502         if(i >= BAN_MAX)
503         {
504                 i = 0;
505                 bestscore = ban_expire[i];
506                 for(j = 1; j < ban_count; ++j)
507                 {
508                         if(ban_expire[j] < bestscore)
509                         {
510                                 i = j;
511                                 bestscore = ban_expire[i];
512                         }
513                 }
514         }
515         // if we replace someone, will we be banned longer than him (so long-term
516         // bans never get overridden by short-term bans)
517         if(i < ban_count)
518         if(ban_expire[i] > time + bantime)
519         {
520                 print(ip, " could not get banned due to no free ban slot\n");
521                 return FALSE;
522         }
523         // okay, insert our new victim as i
524         Ban_Delete(i);
525         dprint(ip, " has been banned for ", ftos(bantime), " seconds\n");
526         ban_expire[i] = time + bantime;
527         ban_ip[i] = strzone(ip);
528         ban_count = max(ban_count, i + 1);
529
530         Ban_SaveBans();
531
532         reason = Ban_Enforce(i, reason);
533
534         // and abort
535         if(dosync)
536                 if(reason != "")
537                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
538                                 OnlineBanList_SendBan(ip, bantime, reason);
539
540         return TRUE;
541 }
542
543 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
544 {
545         if(!Ban_GetClientIP(client))
546         {
547                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
548                 dropclient(client);
549                 return;
550         }
551         // now ban him
552         switch(masksize)
553         {
554                 case 1:
555                         Ban_Insert(ban_ip1, bantime, reason, 1);
556                         break;
557                 case 2:
558                         Ban_Insert(ban_ip2, bantime, reason, 1);
559                         break;
560                 case 3:
561                         Ban_Insert(ban_ip3, bantime, reason, 1);
562                         break;
563                 case 4:
564                 default:
565                         Ban_Insert(ban_ip4, bantime, reason, 1);
566                         break;
567         }
568         if(ban_idfp)
569                 Ban_Insert(ban_idfp, bantime, reason, 1);
570         /*
571          * not needed, as we enforce the ban in Ban_Insert anyway
572         // and kick him
573         sprint(client, strcat("Kickbanned: ", reason, "\n"));
574         dropclient(client);
575          */
576 }
577
578 float GameCommand_Ban(string command)
579 {
580         float argc;
581         float bantime;
582         entity client;
583         float entno;
584         float masksize;
585         string reason;
586         float reasonarg;
587
588         argc = tokenize_console(command);
589         if(argv(0) == "help")
590         {
591                 print("  kickban # n m p reason - kickban player n for m seconds, using mask size p (1 to 4)\n");
592                 print("  ban ip m reason - ban an IP or range (incomplete IP, like 1.2.3) for m seconds\n");
593                 print("  bans - list all existing bans\n");
594                 print("  unban n - delete the entry #n from the bans list\n");
595                 return TRUE;
596         }
597         if(argv(0) == "kickban")
598         {
599 #define INITARG(c) reasonarg = c
600 #define GETARG(v,d) if((argc > reasonarg) && ((v = stof(argv(reasonarg))) != 0)) ++reasonarg; else v = d
601 #define RESTARG(v) if(argc > reasonarg) v = substring(command, argv_start_index(reasonarg), strlen(command) - argv_start_index(reasonarg)); else v = ""
602                 if(argc >= 3)
603                 {
604                         entno = stof(argv(2));
605                         if(entno > maxclients || entno < 1)
606                                 return TRUE;
607                         client = edict_num(entno);
608
609                         INITARG(3);
610                         GETARG(bantime, autocvar_g_ban_default_bantime);
611                         GETARG(masksize, autocvar_g_ban_default_masksize);
612                         RESTARG(reason);
613
614                         Ban_KickBanClient(client, bantime, masksize, reason);
615                         return TRUE;
616                 }
617         }
618         else if(argv(0) == "ban")
619         {
620                 if(argc >= 2)
621                 {
622                         string ip;
623                         ip = argv(1);
624
625                         INITARG(2);
626                         GETARG(bantime, autocvar_g_ban_default_bantime);
627                         RESTARG(reason);
628
629                         Ban_Insert(ip, bantime, reason, 1);
630                         return TRUE;
631                 }
632 #undef INITARG
633 #undef GETARG
634 #undef RESTARG
635         }
636         else if(argv(0) == "bans")
637         {
638                 Ban_View();
639                 return TRUE;
640         }
641         else if(argv(0) == "unban")
642         {
643                 if(argc >= 2)
644                 {
645                         float who;
646                         who = stof(argv(1));
647                         Ban_Delete(who);
648                         return TRUE;
649                 }
650         }
651         return FALSE;
652 }