Support IPv6 blacklists. Also add a conf file option allowing the use of IPv4, IPv6, or both for a blacklist.
Although few blacklists currently support IPv6 lookups, they will likely begin to do so in the near future as more net trash begins using IPv6.
This commit is contained in:
parent
6493f05d8c
commit
0a1e77c27c
5 changed files with 140 additions and 20 deletions
|
@ -361,7 +361,7 @@ serverhide {
|
||||||
* Word to the wise: Do not use blacklists like SPEWS for blocking IRC
|
* Word to the wise: Do not use blacklists like SPEWS for blocking IRC
|
||||||
* connections.
|
* connections.
|
||||||
*
|
*
|
||||||
* As of charybdis 2.1.3, you can do some keyword substitution on the rejection
|
* As of charybdis 2.2, you can do some keyword substitution on the rejection
|
||||||
* reason. The available keyword substitutions are:
|
* reason. The available keyword substitutions are:
|
||||||
*
|
*
|
||||||
* ${ip} - the user's IP
|
* ${ip} - the user's IP
|
||||||
|
@ -370,19 +370,32 @@ serverhide {
|
||||||
* ${nick} - the user's nickname
|
* ${nick} - the user's nickname
|
||||||
* ${network-name} - the name of the network
|
* ${network-name} - the name of the network
|
||||||
*
|
*
|
||||||
|
* As of charybdis 3.4, a type parameter is supported, which specifies the
|
||||||
|
* address families the blacklist supports. IPv4 and IPv6 are supported.
|
||||||
|
* IPv4 is currently the default as few blacklists support IPv6 operation
|
||||||
|
* as of this writing.
|
||||||
|
*
|
||||||
* Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
|
* Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
|
||||||
* contacted, via email, at admins@2mbit.com before using these BLs.
|
* contacted, via email, at admins@2mbit.com before using these BLs.
|
||||||
* See <http://www.ahbl.org/services.php> for more information.
|
* See <http://www.ahbl.org/services.php> for more information.
|
||||||
*/
|
*/
|
||||||
blacklist {
|
blacklist {
|
||||||
host = "rbl.efnetrbl.org";
|
host = "rbl.efnetrbl.org";
|
||||||
|
type = ipv4;
|
||||||
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
|
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
|
||||||
|
|
||||||
# host = "ircbl.ahbl.org";
|
# host = "ircbl.ahbl.org";
|
||||||
|
# type = ipv4;
|
||||||
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect.";
|
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect.";
|
||||||
#
|
#
|
||||||
# host = "tor.ahbl.org";
|
# host = "tor.ahbl.org";
|
||||||
|
# type = ipv4;
|
||||||
# reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
|
# reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
|
||||||
|
#
|
||||||
|
/* Example of a blacklist that supports both IPv4 and IPv6 */
|
||||||
|
# host = "foobl.blacklist.invalid";
|
||||||
|
# type = ipv4, ipv6;
|
||||||
|
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
|
||||||
};
|
};
|
||||||
|
|
||||||
alias "NickServ" {
|
alias "NickServ" {
|
||||||
|
|
|
@ -820,19 +820,32 @@ serverhide {
|
||||||
* ${nick} - the user's nickname
|
* ${nick} - the user's nickname
|
||||||
* ${network-name} - the name of the network
|
* ${network-name} - the name of the network
|
||||||
*
|
*
|
||||||
|
* As of charybdis 3.4, a type parameter is supported, which specifies the
|
||||||
|
* address families the blacklist supports. IPv4 and IPv6 are supported.
|
||||||
|
* IPv4 is currently the default as few blacklists support IPv6 operation
|
||||||
|
* as of this writing.
|
||||||
|
*
|
||||||
* Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
|
* Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
|
||||||
* contacted, via email, at admins@2mbit.com before using these BLs.
|
* contacted, via email, at admins@2mbit.com before using these BLs.
|
||||||
* See <http://www.ahbl.org/services.php> for more information.
|
* See <http://www.ahbl.org/services.php> for more information.
|
||||||
*/
|
*/
|
||||||
blacklist {
|
blacklist {
|
||||||
host = "rbl.efnetrbl.org";
|
host = "rbl.efnetrbl.org";
|
||||||
|
type = ipv4;
|
||||||
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
|
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
|
||||||
|
|
||||||
# host = "ircbl.ahbl.org";
|
# host = "ircbl.ahbl.org";
|
||||||
|
# type = ipv4;
|
||||||
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect.";
|
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect.";
|
||||||
#
|
#
|
||||||
# host = "tor.ahbl.org";
|
# host = "tor.ahbl.org";
|
||||||
|
# type = ipv4;
|
||||||
# reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
|
# reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
|
||||||
|
#
|
||||||
|
/* Example of a blacklist that supports both IPv4 and IPv6 */
|
||||||
|
# host = "foobl.blacklist.invalid";
|
||||||
|
# type = ipv4, ipv6;
|
||||||
|
# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -19,7 +19,6 @@
|
||||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
|
||||||
* USA
|
* USA
|
||||||
*
|
*
|
||||||
* $Id: blacklist.h 2023 2006-09-02 23:47:27Z jilles $
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _BLACKLIST_H_
|
#ifndef _BLACKLIST_H_
|
||||||
|
@ -29,6 +28,8 @@
|
||||||
struct Blacklist {
|
struct Blacklist {
|
||||||
unsigned int status; /* If CONF_ILLEGAL, delete when no clients */
|
unsigned int status; /* If CONF_ILLEGAL, delete when no clients */
|
||||||
int refcount;
|
int refcount;
|
||||||
|
int ipv4; /* Does this blacklist support IPv4 lookups? */
|
||||||
|
int ipv6; /* Does this blacklist support IPv6 lookups? */
|
||||||
char host[IRCD_RES_HOSTLEN + 1];
|
char host[IRCD_RES_HOSTLEN + 1];
|
||||||
char reject_reason[IRCD_BUFSIZE];
|
char reject_reason[IRCD_BUFSIZE];
|
||||||
unsigned int hits;
|
unsigned int hits;
|
||||||
|
@ -44,7 +45,7 @@ struct BlacklistClient {
|
||||||
};
|
};
|
||||||
|
|
||||||
/* public interfaces */
|
/* public interfaces */
|
||||||
struct Blacklist *new_blacklist(char *host, char *reject_entry);
|
struct Blacklist *new_blacklist(char *host, char *reject_reason, int ipv4, int ipv6);
|
||||||
void lookup_blacklists(struct Client *client_p);
|
void lookup_blacklists(struct Client *client_p);
|
||||||
void abort_blacklist_queries(struct Client *client_p);
|
void abort_blacklist_queries(struct Client *client_p);
|
||||||
void unref_blacklist(struct Blacklist *blptr);
|
void unref_blacklist(struct Blacklist *blptr);
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
* charybdis: A slightly useful ircd.
|
* charybdis: A slightly useful ircd.
|
||||||
* blacklist.c: Manages DNS blacklist entries and lookups
|
* blacklist.c: Manages DNS blacklist entries and lookups
|
||||||
*
|
*
|
||||||
* Copyright (C) 2006-2008 charybdis development team
|
* Copyright (C) 2006-2011 charybdis development team
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions are
|
* modification, are permitted provided that the following conditions are
|
||||||
|
@ -30,7 +30,6 @@
|
||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $Id: blacklist.c 2743 2006-11-10 15:15:00Z jilles $
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "stdinc.h"
|
#include "stdinc.h"
|
||||||
|
@ -113,7 +112,6 @@ static void blacklist_dns_callback(void *vptr, struct DNSReply *reply)
|
||||||
rb_free(blcptr);
|
rb_free(blcptr);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* XXX: no IPv6 implementation, not to concerned right now though. */
|
|
||||||
static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *client_p)
|
static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *client_p)
|
||||||
{
|
{
|
||||||
struct BlacklistClient *blcptr = rb_malloc(sizeof(struct BlacklistClient));
|
struct BlacklistClient *blcptr = rb_malloc(sizeof(struct BlacklistClient));
|
||||||
|
@ -126,15 +124,54 @@ static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *
|
||||||
blcptr->dns_query.ptr = blcptr;
|
blcptr->dns_query.ptr = blcptr;
|
||||||
blcptr->dns_query.callback = blacklist_dns_callback;
|
blcptr->dns_query.callback = blacklist_dns_callback;
|
||||||
|
|
||||||
ip = (uint8_t *)&((struct sockaddr_in *)&client_p->localClient->ip)->sin_addr.s_addr;
|
if ((client_p->localClient->ip.ss_family == AF_INET) && blptr->ipv4)
|
||||||
|
{
|
||||||
|
ip = (uint8_t *)&((struct sockaddr_in *)&client_p->localClient->ip)->sin_addr.s_addr;
|
||||||
|
|
||||||
/* becomes 2.0.0.127.torbl.ahbl.org or whatever */
|
/* becomes 2.0.0.127.torbl.ahbl.org or whatever */
|
||||||
rb_snprintf(buf, sizeof buf, "%u.%u.%u.%u.%s",
|
rb_snprintf(buf, sizeof buf, "%d.%d.%d.%d.%s",
|
||||||
(unsigned int) ip[3],
|
(unsigned int) ip[3],
|
||||||
(unsigned int) ip[2],
|
(unsigned int) ip[2],
|
||||||
(unsigned int) ip[1],
|
(unsigned int) ip[1],
|
||||||
(unsigned int) ip[0],
|
(unsigned int) ip[0],
|
||||||
blptr->host);
|
blptr->host);
|
||||||
|
}
|
||||||
|
/* IPv6 is supported now. --Elizabeth */
|
||||||
|
else if ((client_p->localClient->ip.ss_family == AF_INET6) && blptr->ipv6)
|
||||||
|
{
|
||||||
|
/* Breaks it into ip[0] = 0x00, ip[1] = 0x00... ip[16] = 0x01 for localhost
|
||||||
|
* I wish there was a uint4_t for C, this would make the below cleaner, but... */
|
||||||
|
ip = (uint8_t *)&((struct sockaddr_in6 *)&client_p->localClient->ip)->sin6_addr.s6_addr;
|
||||||
|
char *bufptr = buf;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
/* The below will give us something like
|
||||||
|
* 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.foobl.invalid
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Going backwards */
|
||||||
|
for (i = 15; i >= 0; i--)
|
||||||
|
{
|
||||||
|
/* Get upper and lower nibbles (yes this works fine on
|
||||||
|
* both big and little endian) */
|
||||||
|
uint8_t hi = (ip[i] >> 4) & 0x0F;
|
||||||
|
uint8_t lo = ip[i] & 0x0F;
|
||||||
|
|
||||||
|
/* One part... (why 5? rb_snprintf adds \0) */
|
||||||
|
rb_snprintf(bufptr, 5, "%1x.%1x.",
|
||||||
|
(unsigned int) lo, /* Remember, backwards */
|
||||||
|
(unsigned int) hi);
|
||||||
|
|
||||||
|
/* Lurch forward to next position */
|
||||||
|
bufptr += 4;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Tack host on */
|
||||||
|
strcpy(bufptr, blptr->host);
|
||||||
|
}
|
||||||
|
/* This shouldn't happen... */
|
||||||
|
else
|
||||||
|
return;
|
||||||
|
|
||||||
gethost_byname_type(buf, &blcptr->dns_query, T_A);
|
gethost_byname_type(buf, &blcptr->dns_query, T_A);
|
||||||
|
|
||||||
|
@ -143,7 +180,7 @@ static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *
|
||||||
}
|
}
|
||||||
|
|
||||||
/* public interfaces */
|
/* public interfaces */
|
||||||
struct Blacklist *new_blacklist(char *name, char *reject_reason)
|
struct Blacklist *new_blacklist(char *name, char *reject_reason, int ipv4, int ipv6)
|
||||||
{
|
{
|
||||||
struct Blacklist *blptr;
|
struct Blacklist *blptr;
|
||||||
|
|
||||||
|
@ -160,6 +197,8 @@ struct Blacklist *new_blacklist(char *name, char *reject_reason)
|
||||||
blptr->status &= ~CONF_ILLEGAL;
|
blptr->status &= ~CONF_ILLEGAL;
|
||||||
rb_strlcpy(blptr->host, name, IRCD_RES_HOSTLEN + 1);
|
rb_strlcpy(blptr->host, name, IRCD_RES_HOSTLEN + 1);
|
||||||
rb_strlcpy(blptr->reject_reason, reject_reason, IRCD_BUFSIZE);
|
rb_strlcpy(blptr->reject_reason, reject_reason, IRCD_BUFSIZE);
|
||||||
|
blptr->ipv4 = ipv4;
|
||||||
|
blptr->ipv6 = ipv6;
|
||||||
blptr->lastwarning = 0;
|
blptr->lastwarning = 0;
|
||||||
|
|
||||||
return blptr;
|
return blptr;
|
||||||
|
@ -179,10 +218,6 @@ void lookup_blacklists(struct Client *client_p)
|
||||||
{
|
{
|
||||||
rb_dlink_node *nptr;
|
rb_dlink_node *nptr;
|
||||||
|
|
||||||
/* We don't do IPv6 right now, sorry! */
|
|
||||||
if (client_p->localClient->ip.ss_family == AF_INET6)
|
|
||||||
return;
|
|
||||||
|
|
||||||
RB_DLINK_FOREACH(nptr, blacklist_list.head)
|
RB_DLINK_FOREACH(nptr, blacklist_list.head)
|
||||||
{
|
{
|
||||||
struct Blacklist *blptr = (struct Blacklist *) nptr->data;
|
struct Blacklist *blptr = (struct Blacklist *) nptr->data;
|
||||||
|
|
|
@ -54,6 +54,9 @@ static struct alias_entry *yy_alias = NULL;
|
||||||
|
|
||||||
static char *yy_blacklist_host = NULL;
|
static char *yy_blacklist_host = NULL;
|
||||||
static char *yy_blacklist_reason = NULL;
|
static char *yy_blacklist_reason = NULL;
|
||||||
|
static int yy_blacklist_ipv4 = 1;
|
||||||
|
static int yy_blacklist_ipv6 = 0;
|
||||||
|
|
||||||
static char *yy_privset_extends = NULL;
|
static char *yy_privset_extends = NULL;
|
||||||
|
|
||||||
static const char *
|
static const char *
|
||||||
|
@ -1775,6 +1778,34 @@ conf_set_blacklist_host(void *data)
|
||||||
yy_blacklist_host = rb_strdup(data);
|
yy_blacklist_host = rb_strdup(data);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
conf_set_blacklist_type(void *data)
|
||||||
|
{
|
||||||
|
conf_parm_t *args = data;
|
||||||
|
|
||||||
|
/* Don't assume we have either if we got here */
|
||||||
|
yy_blacklist_ipv4 = 0;
|
||||||
|
yy_blacklist_ipv6 = 0;
|
||||||
|
|
||||||
|
for (; args; args = args->next)
|
||||||
|
{
|
||||||
|
if (!strcasecmp(args->v.string, "ipv4"))
|
||||||
|
yy_blacklist_ipv4 = 1;
|
||||||
|
else if (!strcasecmp(args->v.string, "ipv6"))
|
||||||
|
yy_blacklist_ipv6 = 1;
|
||||||
|
else
|
||||||
|
conf_report_error("blacklist::type has unknown address family %s",
|
||||||
|
args->v.string);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If we have neither, just default to IPv4 */
|
||||||
|
if (!yy_blacklist_ipv4 && !yy_blacklist_ipv6)
|
||||||
|
{
|
||||||
|
conf_report_error("blacklist::type has neither IPv4 nor IPv6 (defaulting to IPv4)");
|
||||||
|
yy_blacklist_ipv4 = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
conf_set_blacklist_reason(void *data)
|
conf_set_blacklist_reason(void *data)
|
||||||
{
|
{
|
||||||
|
@ -1782,11 +1813,37 @@ conf_set_blacklist_reason(void *data)
|
||||||
|
|
||||||
if (yy_blacklist_host && yy_blacklist_reason)
|
if (yy_blacklist_host && yy_blacklist_reason)
|
||||||
{
|
{
|
||||||
new_blacklist(yy_blacklist_host, yy_blacklist_reason);
|
if (yy_blacklist_ipv6)
|
||||||
|
{
|
||||||
|
/* Make sure things fit (64 = alnum count + dots) */
|
||||||
|
if ((64 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN)
|
||||||
|
{
|
||||||
|
conf_report_error("blacklist::host %s results in IPv6 queries that are too long",
|
||||||
|
yy_blacklist_host);
|
||||||
|
goto cleanup_bl;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* Avoid doing redundant check, IPv6 is bigger than IPv4 --Elizabeth */
|
||||||
|
if (yy_blacklist_ipv4 && !yy_blacklist_ipv6)
|
||||||
|
{
|
||||||
|
/* Make sure things fit (16 = number of nums + dots) */
|
||||||
|
if ((16 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN)
|
||||||
|
{
|
||||||
|
conf_report_error("blacklist::host %s results in IPv4 queries that are too long",
|
||||||
|
yy_blacklist_host);
|
||||||
|
goto cleanup_bl;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
new_blacklist(yy_blacklist_host, yy_blacklist_reason, yy_blacklist_ipv4, yy_blacklist_ipv6);
|
||||||
|
|
||||||
|
cleanup_bl:
|
||||||
rb_free(yy_blacklist_host);
|
rb_free(yy_blacklist_host);
|
||||||
rb_free(yy_blacklist_reason);
|
rb_free(yy_blacklist_reason);
|
||||||
yy_blacklist_host = NULL;
|
yy_blacklist_host = NULL;
|
||||||
yy_blacklist_reason = NULL;
|
yy_blacklist_reason = NULL;
|
||||||
|
yy_blacklist_ipv4 = 1;
|
||||||
|
yy_blacklist_ipv6 = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2279,5 +2336,6 @@ newconf_init()
|
||||||
|
|
||||||
add_top_conf("blacklist", NULL, NULL, NULL);
|
add_top_conf("blacklist", NULL, NULL, NULL);
|
||||||
add_conf_item("blacklist", "host", CF_QSTRING, conf_set_blacklist_host);
|
add_conf_item("blacklist", "host", CF_QSTRING, conf_set_blacklist_host);
|
||||||
|
add_conf_item("blacklist", "type", CF_STRING | CF_FLIST, conf_set_blacklist_type);
|
||||||
add_conf_item("blacklist", "reject_reason", CF_QSTRING, conf_set_blacklist_reason);
|
add_conf_item("blacklist", "reject_reason", CF_QSTRING, conf_set_blacklist_reason);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue