From 0a1e77c27cfed327e88df68ea4871a6110eb16fc Mon Sep 17 00:00:00 2001 From: Elizabeth Jennifer Myers Date: Sun, 27 Feb 2011 16:38:05 -0500 Subject: [PATCH] Support IPv6 blacklists. Also add a conf file option allowing the use of IPv4, IPv6, or both for a blacklist. Although few blacklists currently support IPv6 lookups, they will likely begin to do so in the near future as more net trash begins using IPv6. --- doc/example.conf | 15 +++++++++- doc/reference.conf | 13 +++++++++ include/blacklist.h | 5 ++-- src/blacklist.c | 67 ++++++++++++++++++++++++++++++++++----------- src/newconf.c | 60 +++++++++++++++++++++++++++++++++++++++- 5 files changed, 140 insertions(+), 20 deletions(-) diff --git a/doc/example.conf b/doc/example.conf index 615f9873..558d51e5 100755 --- a/doc/example.conf +++ b/doc/example.conf @@ -361,7 +361,7 @@ serverhide { * Word to the wise: Do not use blacklists like SPEWS for blocking IRC * connections. * - * As of charybdis 2.1.3, you can do some keyword substitution on the rejection + * As of charybdis 2.2, you can do some keyword substitution on the rejection * reason. The available keyword substitutions are: * * ${ip} - the user's IP @@ -370,19 +370,32 @@ serverhide { * ${nick} - the user's nickname * ${network-name} - the name of the network * + * As of charybdis 3.4, a type parameter is supported, which specifies the + * address families the blacklist supports. IPv4 and IPv6 are supported. + * IPv4 is currently the default as few blacklists support IPv6 operation + * as of this writing. + * * Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be * contacted, via email, at admins@2mbit.com before using these BLs. * See for more information. */ blacklist { host = "rbl.efnetrbl.org"; + type = ipv4; reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}"; # host = "ircbl.ahbl.org"; +# type = ipv4; # reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect."; # # host = "tor.ahbl.org"; +# type = ipv4; # reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network."; +# + /* Example of a blacklist that supports both IPv4 and IPv6 */ +# host = "foobl.blacklist.invalid"; +# type = ipv4, ipv6; +# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect"; }; alias "NickServ" { diff --git a/doc/reference.conf b/doc/reference.conf index fd5de7cb..93ee97b3 100755 --- a/doc/reference.conf +++ b/doc/reference.conf @@ -820,19 +820,32 @@ serverhide { * ${nick} - the user's nickname * ${network-name} - the name of the network * + * As of charybdis 3.4, a type parameter is supported, which specifies the + * address families the blacklist supports. IPv4 and IPv6 are supported. + * IPv4 is currently the default as few blacklists support IPv6 operation + * as of this writing. + * * Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be * contacted, via email, at admins@2mbit.com before using these BLs. * See for more information. */ blacklist { host = "rbl.efnetrbl.org"; + type = ipv4; reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}"; # host = "ircbl.ahbl.org"; +# type = ipv4; # reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect."; # # host = "tor.ahbl.org"; +# type = ipv4; # reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network."; +# + /* Example of a blacklist that supports both IPv4 and IPv6 */ +# host = "foobl.blacklist.invalid"; +# type = ipv4, ipv6; +# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect"; }; /* diff --git a/include/blacklist.h b/include/blacklist.h index 0569d526..c277da90 100644 --- a/include/blacklist.h +++ b/include/blacklist.h @@ -19,7 +19,6 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA * - * $Id: blacklist.h 2023 2006-09-02 23:47:27Z jilles $ */ #ifndef _BLACKLIST_H_ @@ -29,6 +28,8 @@ struct Blacklist { unsigned int status; /* If CONF_ILLEGAL, delete when no clients */ int refcount; + int ipv4; /* Does this blacklist support IPv4 lookups? */ + int ipv6; /* Does this blacklist support IPv6 lookups? */ char host[IRCD_RES_HOSTLEN + 1]; char reject_reason[IRCD_BUFSIZE]; unsigned int hits; @@ -44,7 +45,7 @@ struct BlacklistClient { }; /* public interfaces */ -struct Blacklist *new_blacklist(char *host, char *reject_entry); +struct Blacklist *new_blacklist(char *host, char *reject_reason, int ipv4, int ipv6); void lookup_blacklists(struct Client *client_p); void abort_blacklist_queries(struct Client *client_p); void unref_blacklist(struct Blacklist *blptr); diff --git a/src/blacklist.c b/src/blacklist.c index 7b09fe15..85a5545f 100644 --- a/src/blacklist.c +++ b/src/blacklist.c @@ -2,7 +2,7 @@ * charybdis: A slightly useful ircd. * blacklist.c: Manages DNS blacklist entries and lookups * - * Copyright (C) 2006-2008 charybdis development team + * Copyright (C) 2006-2011 charybdis development team * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -30,7 +30,6 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $Id: blacklist.c 2743 2006-11-10 15:15:00Z jilles $ */ #include "stdinc.h" @@ -113,7 +112,6 @@ static void blacklist_dns_callback(void *vptr, struct DNSReply *reply) rb_free(blcptr); } -/* XXX: no IPv6 implementation, not to concerned right now though. */ static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *client_p) { struct BlacklistClient *blcptr = rb_malloc(sizeof(struct BlacklistClient)); @@ -126,15 +124,54 @@ static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client * blcptr->dns_query.ptr = blcptr; blcptr->dns_query.callback = blacklist_dns_callback; - ip = (uint8_t *)&((struct sockaddr_in *)&client_p->localClient->ip)->sin_addr.s_addr; + if ((client_p->localClient->ip.ss_family == AF_INET) && blptr->ipv4) + { + ip = (uint8_t *)&((struct sockaddr_in *)&client_p->localClient->ip)->sin_addr.s_addr; - /* becomes 2.0.0.127.torbl.ahbl.org or whatever */ - rb_snprintf(buf, sizeof buf, "%u.%u.%u.%u.%s", - (unsigned int) ip[3], - (unsigned int) ip[2], - (unsigned int) ip[1], - (unsigned int) ip[0], - blptr->host); + /* becomes 2.0.0.127.torbl.ahbl.org or whatever */ + rb_snprintf(buf, sizeof buf, "%d.%d.%d.%d.%s", + (unsigned int) ip[3], + (unsigned int) ip[2], + (unsigned int) ip[1], + (unsigned int) ip[0], + blptr->host); + } + /* IPv6 is supported now. --Elizabeth */ + else if ((client_p->localClient->ip.ss_family == AF_INET6) && blptr->ipv6) + { + /* Breaks it into ip[0] = 0x00, ip[1] = 0x00... ip[16] = 0x01 for localhost + * I wish there was a uint4_t for C, this would make the below cleaner, but... */ + ip = (uint8_t *)&((struct sockaddr_in6 *)&client_p->localClient->ip)->sin6_addr.s6_addr; + char *bufptr = buf; + int i; + + /* The below will give us something like + * 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.foobl.invalid + */ + + /* Going backwards */ + for (i = 15; i >= 0; i--) + { + /* Get upper and lower nibbles (yes this works fine on + * both big and little endian) */ + uint8_t hi = (ip[i] >> 4) & 0x0F; + uint8_t lo = ip[i] & 0x0F; + + /* One part... (why 5? rb_snprintf adds \0) */ + rb_snprintf(bufptr, 5, "%1x.%1x.", + (unsigned int) lo, /* Remember, backwards */ + (unsigned int) hi); + + /* Lurch forward to next position */ + bufptr += 4; + } + + /* Tack host on */ + strcpy(bufptr, blptr->host); + } + /* This shouldn't happen... */ + else + return; gethost_byname_type(buf, &blcptr->dns_query, T_A); @@ -143,7 +180,7 @@ static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client * } /* public interfaces */ -struct Blacklist *new_blacklist(char *name, char *reject_reason) +struct Blacklist *new_blacklist(char *name, char *reject_reason, int ipv4, int ipv6) { struct Blacklist *blptr; @@ -160,6 +197,8 @@ struct Blacklist *new_blacklist(char *name, char *reject_reason) blptr->status &= ~CONF_ILLEGAL; rb_strlcpy(blptr->host, name, IRCD_RES_HOSTLEN + 1); rb_strlcpy(blptr->reject_reason, reject_reason, IRCD_BUFSIZE); + blptr->ipv4 = ipv4; + blptr->ipv6 = ipv6; blptr->lastwarning = 0; return blptr; @@ -179,10 +218,6 @@ void lookup_blacklists(struct Client *client_p) { rb_dlink_node *nptr; - /* We don't do IPv6 right now, sorry! */ - if (client_p->localClient->ip.ss_family == AF_INET6) - return; - RB_DLINK_FOREACH(nptr, blacklist_list.head) { struct Blacklist *blptr = (struct Blacklist *) nptr->data; diff --git a/src/newconf.c b/src/newconf.c index 8b1dfa6a..82fd4485 100644 --- a/src/newconf.c +++ b/src/newconf.c @@ -54,6 +54,9 @@ static struct alias_entry *yy_alias = NULL; static char *yy_blacklist_host = NULL; static char *yy_blacklist_reason = NULL; +static int yy_blacklist_ipv4 = 1; +static int yy_blacklist_ipv6 = 0; + static char *yy_privset_extends = NULL; static const char * @@ -1775,6 +1778,34 @@ conf_set_blacklist_host(void *data) yy_blacklist_host = rb_strdup(data); } +static void +conf_set_blacklist_type(void *data) +{ + conf_parm_t *args = data; + + /* Don't assume we have either if we got here */ + yy_blacklist_ipv4 = 0; + yy_blacklist_ipv6 = 0; + + for (; args; args = args->next) + { + if (!strcasecmp(args->v.string, "ipv4")) + yy_blacklist_ipv4 = 1; + else if (!strcasecmp(args->v.string, "ipv6")) + yy_blacklist_ipv6 = 1; + else + conf_report_error("blacklist::type has unknown address family %s", + args->v.string); + } + + /* If we have neither, just default to IPv4 */ + if (!yy_blacklist_ipv4 && !yy_blacklist_ipv6) + { + conf_report_error("blacklist::type has neither IPv4 nor IPv6 (defaulting to IPv4)"); + yy_blacklist_ipv4 = 1; + } +} + static void conf_set_blacklist_reason(void *data) { @@ -1782,11 +1813,37 @@ conf_set_blacklist_reason(void *data) if (yy_blacklist_host && yy_blacklist_reason) { - new_blacklist(yy_blacklist_host, yy_blacklist_reason); + if (yy_blacklist_ipv6) + { + /* Make sure things fit (64 = alnum count + dots) */ + if ((64 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN) + { + conf_report_error("blacklist::host %s results in IPv6 queries that are too long", + yy_blacklist_host); + goto cleanup_bl; + } + } + /* Avoid doing redundant check, IPv6 is bigger than IPv4 --Elizabeth */ + if (yy_blacklist_ipv4 && !yy_blacklist_ipv6) + { + /* Make sure things fit (16 = number of nums + dots) */ + if ((16 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN) + { + conf_report_error("blacklist::host %s results in IPv4 queries that are too long", + yy_blacklist_host); + goto cleanup_bl; + } + } + + new_blacklist(yy_blacklist_host, yy_blacklist_reason, yy_blacklist_ipv4, yy_blacklist_ipv6); + +cleanup_bl: rb_free(yy_blacklist_host); rb_free(yy_blacklist_reason); yy_blacklist_host = NULL; yy_blacklist_reason = NULL; + yy_blacklist_ipv4 = 1; + yy_blacklist_ipv6 = 0; } } @@ -2279,5 +2336,6 @@ newconf_init() add_top_conf("blacklist", NULL, NULL, NULL); add_conf_item("blacklist", "host", CF_QSTRING, conf_set_blacklist_host); + add_conf_item("blacklist", "type", CF_STRING | CF_FLIST, conf_set_blacklist_type); add_conf_item("blacklist", "reject_reason", CF_QSTRING, conf_set_blacklist_reason); }