From fbe8d087e73ef762ba95f008e671837986e1542e Mon Sep 17 00:00:00 2001 From: Elizabeth Myers Date: Sat, 2 Apr 2016 02:42:11 -0500 Subject: [PATCH] Add exempt logic for open proxies --- authd/provider.c | 3 +++ include/s_conf.h | 2 ++ ircd/newconf.c | 33 +++++++++++++++++---------------- ircd/s_user.c | 28 ++++++++++++++++++++++++++++ 4 files changed, 50 insertions(+), 16 deletions(-) diff --git a/authd/provider.c b/authd/provider.c index 6cc6eee4e..b459fec73 100644 --- a/authd/provider.c +++ b/authd/provider.c @@ -215,6 +215,9 @@ reject_client(struct auth_client *auth, provider_t id, const char *data, const c case PROVIDER_BLACKLIST: reject = 'B'; break; + case PROVIDER_OPM: + reject = 'O'; + break; default: reject = 'N'; break; diff --git a/include/s_conf.h b/include/s_conf.h index 9a0f55328..ea4822691 100644 --- a/include/s_conf.h +++ b/include/s_conf.h @@ -110,6 +110,7 @@ struct ConfItem #define CONF_FLAGS_EXTEND_CHANS 0x00080000 #define CONF_FLAGS_ENCRYPTED 0x00200000 #define CONF_FLAGS_EXEMPTDNSBL 0x04000000 +#define CONF_FLAGS_EXEMPTPROXY 0x08000000 /* Macros for struct ConfItem */ @@ -130,6 +131,7 @@ struct ConfItem #define IsConfEncrypted(x) ((x)->flags & CONF_FLAGS_ENCRYPTED) #define IsNeedSasl(x) ((x)->flags & CONF_FLAGS_NEED_SASL) #define IsConfExemptDNSBL(x) ((x)->flags & CONF_FLAGS_EXEMPTDNSBL) +#define IsConfExemptProxy(x) ((x)->flags & CONF_FLAGS_EXEMPTPROXY) #define IsConfExtendChans(x) ((x)->flags & CONF_FLAGS_EXTEND_CHANS) #define IsConfSSLNeeded(x) ((x)->flags & CONF_FLAGS_NEED_SSL) diff --git a/ircd/newconf.c b/ircd/newconf.c index b91095709..9a2f0b901 100644 --- a/ircd/newconf.c +++ b/ircd/newconf.c @@ -331,22 +331,23 @@ static struct mode_table oper_table[] = { }; static struct mode_table auth_table[] = { - {"encrypted", CONF_FLAGS_ENCRYPTED }, - {"spoof_notice", CONF_FLAGS_SPOOF_NOTICE }, - {"exceed_limit", CONF_FLAGS_NOLIMIT }, - {"dnsbl_exempt", CONF_FLAGS_EXEMPTDNSBL }, - {"kline_exempt", CONF_FLAGS_EXEMPTKLINE }, - {"flood_exempt", CONF_FLAGS_EXEMPTFLOOD }, - {"spambot_exempt", CONF_FLAGS_EXEMPTSPAMBOT }, - {"shide_exempt", CONF_FLAGS_EXEMPTSHIDE }, - {"jupe_exempt", CONF_FLAGS_EXEMPTJUPE }, - {"resv_exempt", CONF_FLAGS_EXEMPTRESV }, - {"no_tilde", CONF_FLAGS_NO_TILDE }, - {"need_ident", CONF_FLAGS_NEED_IDENTD }, - {"have_ident", CONF_FLAGS_NEED_IDENTD }, - {"need_ssl", CONF_FLAGS_NEED_SSL }, - {"need_sasl", CONF_FLAGS_NEED_SASL }, - {"extend_chans", CONF_FLAGS_EXTEND_CHANS }, + {"encrypted", CONF_FLAGS_ENCRYPTED }, + {"spoof_notice", CONF_FLAGS_SPOOF_NOTICE }, + {"exceed_limit", CONF_FLAGS_NOLIMIT }, + {"dnsbl_exempt", CONF_FLAGS_EXEMPTDNSBL }, + {"proxy_exempt", CONF_FLAGS_EXEMPTPROXY }, + {"kline_exempt", CONF_FLAGS_EXEMPTKLINE }, + {"flood_exempt", CONF_FLAGS_EXEMPTFLOOD }, + {"spambot_exempt", CONF_FLAGS_EXEMPTSPAMBOT }, + {"shide_exempt", CONF_FLAGS_EXEMPTSHIDE }, + {"jupe_exempt", CONF_FLAGS_EXEMPTJUPE }, + {"resv_exempt", CONF_FLAGS_EXEMPTRESV }, + {"no_tilde", CONF_FLAGS_NO_TILDE }, + {"need_ident", CONF_FLAGS_NEED_IDENTD }, + {"have_ident", CONF_FLAGS_NEED_IDENTD }, + {"need_ssl", CONF_FLAGS_NEED_SSL }, + {"need_sasl", CONF_FLAGS_NEED_SASL }, + {"extend_chans", CONF_FLAGS_EXTEND_CHANS }, {NULL, 0} }; diff --git a/ircd/s_user.c b/ircd/s_user.c index 80aee0e06..453aa471f 100644 --- a/ircd/s_user.c +++ b/ircd/s_user.c @@ -467,6 +467,34 @@ register_local_user(struct Client *client_p, struct Client *source_p) return CLIENT_EXITED; } break; + case 'O': + if(IsExemptKline(source_p) || IsConfExemptProxy(aconf)) + { + sendto_one_notice(source_p, ":*** Your IP address %s has been detected as an open proxy (ip:port %s), but you are exempt", + source_p->sockhost, source_p->preClient->authd_data); + } + else + { + sendto_realops_snomask(SNO_REJ, L_NETWIDE, + "Open proxy %s: %s (%s@%s) [%s] [%s]", + source_p->preClient->authd_data, + source_p->name, + source_p->username, source_p->host, + IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost, + source_p->info); + + ServerStats.is_ref++; + + sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP), + me.name, source_p->name, reason); + + sendto_one_notice(source_p, ":*** Your IP address %s has been detected as an open proxy (ip:port %s)", + source_p->sockhost, source_p->preClient->authd_data); + add_reject(source_p, NULL, NULL); + exit_client(client_p, source_p, &me, "*** Banned (Open proxy)"); + substitution_free(&varlist); + return CLIENT_EXITED; + } default: /* Unknown, but handle the case properly */ if (IsExemptKline(source_p)) {