/** Find Except configuration for \a addr with flags matching \a flags
* @param[in] addr IP Address to match an Except configuration against.
* @param[in] mask Bitmask of EFLAG_* flags to test for exemption.
* @return -1 if an exception was found, 0 otherwise.
*/
int find_except_conf_by_ip(const struct irc_in_addr *addr, int flags)
{
struct ExceptConf *econf;
char ipbuf[SOCKIPLEN];
ircd_ntoa_r(ipbuf, addr);
for(econf = exceptConfList; econf; econf = econf->next) {
if (!(econf->flags & flags))
continue;
/* Attempt to match usermask against "%nobody" to ensure this isn't
* an Except that requires a user name to match.
*/
if (econf->usermask && match(econf->usermask, "%nobody"))
continue;
if (econf->bits > 0) {
if (!ipmask_check(addr, &econf->address, econf->bits))
continue;
} else if (econf->hostmask && match(econf->hostmask, ipbuf))
continue;
return -1;
}
return 0;
}
/** Statistics callback to list DNS servers.
* @param[in] source_p Client requesting statistics.
* @param[in] sd Stats descriptor for request (ignored).
* @param[in] param Extra parameter from user (ignored).
*/
void
report_dns_servers(struct Client *source_p, const struct StatDesc *sd, char *param)
{
int i;
char ipaddr[128];
for (i = 0; i < irc_nscount; i++)
{
ircd_ntoa_r(ipaddr, &irc_nsaddr_list[i].addr);
send_reply(source_p, RPL_STATSALINE, ipaddr);
}
}
/*
* ircd_ntoa - rewrote and renamed yet again :) --Bleep
* inetntoa - in_addr to string
* changed name to remove collision possibility and
* so behaviour is guaranteed to take a pointer arg.
* -avalon 23/11/92
* inet_ntoa -- returned the dotted notation of a given
* internet number
* argv 11/90).
* inet_ntoa -- its broken on some Ultrix/Dynix too. -avalon
*/
const char* ircd_ntoa(const char* in)
{
static char buf[20];
return ircd_ntoa_r(buf, in);
}
void add_connection(struct Listener* listener, int fd, void *ssl) {
#else
void add_connection(struct Listener* listener, int fd) {
#endif
struct irc_sockaddr addr;
struct Client *new_client;
time_t next_target = 0;
#if defined(USE_SSL)
char *sslfp;
#endif
const char* const throttle_message =
"ERROR :Your host is trying to (re)connect too fast -- throttled\r\n";
/* 12345678901234567890123456789012345679012345678901234567890123456 */
const char* const register_message =
"ERROR :Unable to complete your registration\r\n";
assert(0 != listener);
/*
* Removed preliminary access check. Full check is performed in m_server and
* m_user instead. Also connection time out help to get rid of unwanted
* connections.
*/
if (!os_get_peername(fd, &addr) || !os_set_nonblocking(fd)) {
++ServerStats->is_ref;
#if defined(USE_SSL)
ssl_murder(ssl, fd, NULL);
#else
close(fd);
#endif
return;
}
/*
* Disable IP (*not* TCP) options. In particular, this makes it impossible
* to use source routing to connect to the server. If we didn't do this
* (and if intermediate networks didn't drop source-routed packets), an
* attacker could successfully IP spoof us...and even return the anti-spoof
* ping, because the options would cause the packet to be routed back to
* the spoofer's machine. When we disable the IP options, we delete the
* source route, and the normal routing takes over.
*/
os_disable_options(fd);
if (listener_server(listener))
{
new_client = make_client(0, STAT_UNKNOWN_SERVER);
}
else
{
/*
* Add this local client to the IPcheck registry.
*
* If they're throttled, murder them, but tell them why first.
*/
if (!IPcheck_local_connect(&addr.addr, &next_target))
{
++ServerStats->is_ref;
#if defined(USE_SSL)
ssl_murder(ssl, fd, throttle_message);
#else
write(fd, throttle_message, strlen(throttle_message));
close(fd);
#endif
return;
}
new_client = make_client(0, STAT_UNKNOWN_USER);
SetIPChecked(new_client);
}
/*
* Copy ascii address to 'sockhost' just in case. Then we have something
* valid to put into error messages...
*/
ircd_ntoa_r(cli_sock_ip(new_client), &addr.addr);
strcpy(cli_sockhost(new_client), cli_sock_ip(new_client));
memcpy(&cli_ip(new_client), &addr.addr, sizeof(cli_ip(new_client)));
if (next_target)
cli_nexttarget(new_client) = next_target;
cli_fd(new_client) = fd;
if (!socket_add(&(cli_socket(new_client)), client_sock_callback,
(void*) cli_connect(new_client), SS_CONNECTED, 0, fd)) {
++ServerStats->is_ref;
#if defined(USE_SSL)
ssl_murder(ssl, fd, register_message);
#else
write(fd, register_message, strlen(register_message));
close(fd);
#endif
cli_fd(new_client) = -1;
return;
}
#if defined(USE_SSL)
if (ssl) {
cli_socket(new_client).s_ssl = ssl;
sslfp = ssl_get_fingerprint(ssl);
if (sslfp)
ircd_strncpy(cli_sslclifp(new_client), sslfp, BUFSIZE+1);
}
#endif
cli_freeflag(new_client) |= FREEFLAG_SOCKET;
cli_listener(new_client) = listener;
++listener->ref_count;
Count_newunknown(UserStats);
/* if we've made it this far we can put the client on the auth query pile */
start_auth(new_client);
}
/** Determines whether to tell the events engine we're interested in
* writable events.
* @param cptr Client for which to decide this.
*/
void update_write(struct Client* cptr)
{
/* If there are messages that need to be sent along, or if the client
* is in the middle of a /list, then we need to tell the engine that
* we're interested in writable events--otherwise, we need to drop
* that interest.
*/
socket_events(&(cli_socket(cptr)),
((MsgQLength(&cli_sendQ(cptr)) || cli_listing(cptr)) ?
SOCK_ACTION_ADD : SOCK_ACTION_DEL) | SOCK_EVENT_WRITABLE);
}
/** Set up address and port and make a connection.
* @param aconf Provides the connection information.
* @param cptr Client structure for the peer.
* @return Non-zero on success; zero on failure.
*/
static int connect_inet(struct ConfItem* aconf, struct Client* cptr)
{
const struct irc_sockaddr *local;
IOResult result;
int family = 0;
assert(0 != aconf);
assert(0 != cptr);
/*
* Might as well get sockhost from here, the connection is attempted
* with it so if it fails its useless.
*/
if (irc_in_addr_valid(&aconf->origin.addr))
local = &aconf->origin;
else if (irc_in_addr_is_ipv4(&aconf->address.addr)) {
local = &VirtualHost_v4;
family = AF_INET;
} else
local = &VirtualHost_v6;
cli_fd(cptr) = os_socket(local, SOCK_STREAM, cli_name(cptr), family);
if (cli_fd(cptr) < 0)
return 0;
/*
* save connection info in client
*/
memcpy(&cli_ip(cptr), &aconf->address.addr, sizeof(cli_ip(cptr)));
ircd_ntoa_r(cli_sock_ip(cptr), &cli_ip(cptr));
/*
* we want a big buffer for server connections
*/
if (!os_set_sockbufs(cli_fd(cptr), feature_int(FEAT_SOCKSENDBUF), feature_int(FEAT_SOCKRECVBUF))) {
cli_error(cptr) = errno;
report_error(SETBUFS_ERROR_MSG, cli_name(cptr), errno);
close(cli_fd(cptr));
cli_fd(cptr) = -1;
return 0;
}
/*
* Set the TOS bits - this is nonfatal if it doesn't stick.
*/
if (!os_set_tos(cli_fd(cptr), feature_int(FEAT_TOS_SERVER))) {
report_error(TOS_ERROR_MSG, cli_name(cptr), errno);
}
if ((result = os_connect_nonb(cli_fd(cptr), &aconf->address)) == IO_FAILURE) {
cli_error(cptr) = errno;
report_error(CONNECT_ERROR_MSG, cli_name(cptr), errno);
close(cli_fd(cptr));
cli_fd(cptr) = -1;
return 0;
}
if (!socket_add(&(cli_socket(cptr)), client_sock_callback,
(void*) cli_connect(cptr),
(result == IO_SUCCESS) ? SS_CONNECTED : SS_CONNECTING,
SOCK_EVENT_READABLE, cli_fd(cptr))) {
cli_error(cptr) = ENFILE;
report_error(REGISTER_ERROR_MSG, cli_name(cptr), ENFILE);
close(cli_fd(cptr));
cli_fd(cptr) = -1;
return 0;
}
cli_freeflag(cptr) |= FREEFLAG_SOCKET;
return 1;
}
/** Creates a client which has just connected to us on the given fd.
* The sockhost field is initialized with the ip# of the host.
* The client is not added to the linked list of clients, it is
* passed off to the auth handler for dns and ident queries.
* @param listener Listening socket that received the connection.
* @param fd File descriptor of new connection.
*/
void add_connection(struct Listener* listener, int fd) {
struct irc_sockaddr addr;
struct Client *new_client;
time_t next_target = 0;
const char* const throttle_message =
"ERROR :Your host is trying to (re)connect too fast -- throttled\r\n";
/* 12345678901234567890123456789012345679012345678901234567890123456 */
const char* const register_message =
"ERROR :Unable to complete your registration\r\n";
assert(0 != listener);
/*
* Removed preliminary access check. Full check is performed in m_server and
* m_user instead. Also connection time out help to get rid of unwanted
* connections.
*/
if (!os_get_peername(fd, &addr) || !os_set_nonblocking(fd)) {
++ServerStats->is_ref;
close(fd);
return;
}
/*
* Disable IP (*not* TCP) options. In particular, this makes it impossible
* to use source routing to connect to the server. If we didn't do this
* (and if intermediate networks didn't drop source-routed packets), an
* attacker could successfully IP spoof us...and even return the anti-spoof
* ping, because the options would cause the packet to be routed back to
* the spoofer's machine. When we disable the IP options, we delete the
* source route, and the normal routing takes over.
*/
os_disable_options(fd);
if (listener_server(listener))
{
new_client = make_client(0, STAT_UNKNOWN_SERVER);
}
else
{
/*
* Add this local client to the IPcheck registry.
*
* If they're throttled, murder them, but tell them why first.
*/
if (!IPcheck_local_connect(&addr.addr, &next_target))
{
++ServerStats->is_ref;
write(fd, throttle_message, strlen(throttle_message));
close(fd);
return;
}
new_client = make_client(0, STAT_UNKNOWN_USER);
SetIPChecked(new_client);
}
/*
* Copy ascii address to 'sockhost' just in case. Then we have something
* valid to put into error messages...
*/
ircd_ntoa_r(cli_sock_ip(new_client), &addr.addr);
strcpy(cli_sockhost(new_client), cli_sock_ip(new_client));
memcpy(&cli_ip(new_client), &addr.addr, sizeof(cli_ip(new_client)));
if (next_target)
cli_nexttarget(new_client) = next_target;
cli_fd(new_client) = fd;
if (!socket_add(&(cli_socket(new_client)), client_sock_callback,
(void*) cli_connect(new_client), SS_CONNECTED, 0, fd)) {
++ServerStats->is_ref;
write(fd, register_message, strlen(register_message));
close(fd);
cli_fd(new_client) = -1;
return;
}
cli_freeflag(new_client) |= FREEFLAG_SOCKET;
cli_listener(new_client) = listener;
++listener->ref_count;
Count_newunknown(UserStats);
/* if we've made it this far we can put the client on the auth query pile */
start_auth(new_client);
}
