diff options
| -rw-r--r-- | include/socket.h | 72 | ||||
| -rw-r--r-- | include/usermanager.h | 2 | ||||
| -rw-r--r-- | include/users.h | 2 | ||||
| -rw-r--r-- | src/cidr.cpp | 95 | ||||
| -rw-r--r-- | src/modules/m_clones.cpp | 2 | ||||
| -rw-r--r-- | src/modules/m_connectban.cpp | 8 | ||||
| -rw-r--r-- | src/modules/m_spanningtree/utils.cpp | 31 | ||||
| -rw-r--r-- | src/socket.cpp | 175 | ||||
| -rw-r--r-- | src/usermanager.cpp | 2 | ||||
| -rw-r--r-- | src/users.cpp | 4 |
10 files changed, 186 insertions, 207 deletions
diff --git a/include/socket.h b/include/socket.h index ef6edbbca..b012cf62a 100644 --- a/include/socket.h +++ b/include/socket.h @@ -45,38 +45,43 @@ namespace irc */ namespace sockets { - - typedef union { + union CoreExport sockaddrs { struct sockaddr sa; struct sockaddr_in in4; struct sockaddr_in6 in6; - } sockaddrs; - - /** Match raw binary data using CIDR rules. - * - * This function will use binary comparison to compare the - * two bit sequences, address and mask, up to mask_bits - * bits in size. If they match, it will return true. - * @param address The whole address, of 4 or 16 bytes in length - * @param mask The mask, from 1 to 16 bytes in length, anything - * from 1 to 128 bits of which is significant - * @param mask_Bits How many bits of the mask parameter are significant - * for this comparison. - * @returns True if the first mask_bits of address matches the first - * mask_bits of mask. - */ - CoreExport bool MatchCIDRBits(const unsigned char* address, const unsigned char* mask, unsigned int mask_bits); - - /** Match CIDR, without matching username/nickname parts. - * - * This function will compare a human-readable address against a human- - * readable CIDR mask, for example 1.2.3.4 against 1.2.0.0/16. This - * method supports both IPV4 and IPV6 addresses. - * @param address The human readable address, e.g. 1.2.3.4 - * @param cidr_mask The human readable mask, e.g. 1.2.0.0/16 - * @return True if the mask matches the address - */ - CoreExport bool MatchCIDR(const std::string &address, const std::string &cidr_mask); + /** Return the size of the structure for syscall passing */ + int sa_size() const; + /** Return port number or -1 if invalid */ + int port() const; + /** Return IP only */ + std::string addr() const; + /** Return human-readable IP/port pair */ + std::string str() const; + }; + + struct cidr_mask + { + /** Type, AF_INET or AF_INET6 */ + unsigned char type; + /** Length of the mask in bits (0-128) */ + unsigned char length; + /** Raw bits. Unused bits must be zero */ + unsigned char bits[16]; + + cidr_mask() {} + /** Construct a CIDR mask from the string. Will normalize (127.0.0.1/8 => 127.0.0.0/8). */ + cidr_mask(const std::string& mask); + /** Construct a CIDR mask of a given length from the given address */ + cidr_mask(const irc::sockets::sockaddrs& addr, int len); + /** Equality of bits, type, and length */ + bool operator==(const cidr_mask& other) const; + /** Ordering defined for maps */ + bool operator<(const cidr_mask& other) const; + /** Match within this CIDR? */ + bool match(const irc::sockets::sockaddrs& addr) const; + /** Human-readable string */ + std::string str() const; + }; /** Match CIDR, including an optional username/nickname part. * @@ -99,7 +104,7 @@ namespace irc CoreExport int OpenTCPSocket(const std::string& addr, int socktype = SOCK_STREAM); /** Return the size of the structure for syscall passing */ - CoreExport int sa_size(const irc::sockets::sockaddrs& sa); + inline int sa_size(const irc::sockets::sockaddrs& sa) { return sa.sa_size(); } /** Convert an address-port pair into a binary sockaddr * @param addr The IP address, IPv4 or IPv6 @@ -122,12 +127,7 @@ namespace irc * @param sa The structure to convert * @return The string; "<unknown>" if not a valid address */ - CoreExport std::string satouser(const irc::sockets::sockaddrs& sa); - - /** Create a CIDR mask from the given address, of length <range> - * Result will be of the form 192.0.5.0/24 or 2001:af35::/48 - */ - CoreExport std::string mask(irc::sockets::sockaddrs sa, unsigned int range); + inline std::string satouser(const irc::sockets::sockaddrs& sa) { return sa.str(); } } } diff --git a/include/usermanager.h b/include/usermanager.h index 97277f3fb..eb3317b63 100644 --- a/include/usermanager.h +++ b/include/usermanager.h @@ -17,7 +17,7 @@ #include <list> /** A list of ip addresses cross referenced against clone counts */ -typedef std::map<irc::string, unsigned int> clonemap; +typedef std::map<irc::sockets::cidr_mask, unsigned int> clonemap; class CoreExport UserManager { diff --git a/include/users.h b/include/users.h index de69f6383..0fc6e3723 100644 --- a/include/users.h +++ b/include/users.h @@ -364,7 +364,7 @@ class CoreExport User : public StreamSocket /** Get CIDR mask, using default range, for this user */ - irc::string GetCIDRMask(); + irc::sockets::cidr_mask GetCIDRMask(); /** Sets the client IP for this user * @return true if the conversion was successful diff --git a/src/cidr.cpp b/src/cidr.cpp index d38056b02..31101836c 100644 --- a/src/cidr.cpp +++ b/src/cidr.cpp @@ -31,32 +31,6 @@ const unsigned char inverted_bits[8] = { 0x00, /* 00000000 - 0 bits - never actu }; -/* Match raw bytes using CIDR bit matching, used by higher level MatchCIDR() */ -bool irc::sockets::MatchCIDRBits(const unsigned char* address, const unsigned char* mask, unsigned int mask_bits) -{ - unsigned int divisor = mask_bits / 8; /* Number of whole bytes in the mask */ - unsigned int modulus = mask_bits % 8; /* Remaining bits in the mask after whole bytes are dealt with */ - - /* First (this is faster) compare the odd bits with logic ops */ - if (modulus) - if ((address[divisor] & inverted_bits[modulus]) != (mask[divisor] & inverted_bits[modulus])) - /* If they dont match, return false */ - return false; - - /* Secondly (this is slower) compare the whole bytes */ - if (memcmp(address, mask, divisor)) - return false; - - /* The address matches the mask, to mask_bits bits of mask */ - return true; -} - -/* Match CIDR, but dont attempt to match() against leading *!*@ sections */ -bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr_mask) -{ - return MatchCIDR(address, cidr_mask, false); -} - /* Match CIDR strings, e.g. 127.0.0.1 to 127.0.0.0/8 or 3ffe:1:5:6::8 to 3ffe:1::0/32 * If you have a lot of hosts to match, youre probably better off building your mask once * and then using the lower level MatchCIDRBits directly. @@ -66,10 +40,6 @@ bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr */ bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr_mask, bool match_with_username) { - unsigned char addr_raw[16]; - unsigned char mask_raw[16]; - unsigned int bits = 0; - std::string address_copy; std::string cidr_copy; @@ -105,69 +75,14 @@ bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr cidr_copy.assign(cidr_mask); } - in_addr address_in4; - in_addr mask_in4; - - std::string::size_type bits_chars = cidr_copy.rfind('/'); - - if (bits_chars != std::string::npos) - { - bits = atoi(cidr_copy.substr(bits_chars + 1).c_str()); - cidr_copy.erase(bits_chars, cidr_copy.length() - bits_chars); - } - else - { - /* No 'number of bits' field! */ - return false; - } - - in6_addr address_in6; - in6_addr mask_in6; - - if (inet_pton(AF_INET6, address_copy.c_str(), &address_in6) > 0) - { - if (inet_pton(AF_INET6, cidr_copy.c_str(), &mask_in6) > 0) - { - memcpy(&addr_raw, &address_in6.s6_addr, 16); - memcpy(&mask_raw, &mask_in6.s6_addr, 16); + irc::sockets::sockaddrs addr; + irc::sockets::aptosa(address_copy, 0, addr); - if (bits > 128) - bits = 128; - } - else - { - /* The address was valid ipv6, but the mask - * that goes with it wasnt. - */ - return false; - } - } - else if (inet_pton(AF_INET, address_copy.c_str(), &address_in4) > 0) - { - if (inet_pton(AF_INET, cidr_copy.c_str(), &mask_in4) > 0) - { - memcpy(&addr_raw, &address_in4.s_addr, 4); - memcpy(&mask_raw, &mask_in4.s_addr, 4); + irc::sockets::cidr_mask mask(cidr_copy); + irc::sockets::cidr_mask mask2(addr, mask.length); - if (bits > 32) - bits = 32; - } - else - { - /* The address was valid ipv4, - * but the mask that went with it wasnt. - */ - return false; - } - } - else - { - /* The address was neither ipv4 or ipv6 */ - return false; - } + return mask == mask2; - /* Low-level-match the bits in the raw data */ - return MatchCIDRBits(addr_raw, mask_raw, bits); } diff --git a/src/modules/m_clones.cpp b/src/modules/m_clones.cpp index fac64f356..09aa1043b 100644 --- a/src/modules/m_clones.cpp +++ b/src/modules/m_clones.cpp @@ -46,7 +46,7 @@ class CommandClones : public Command for (clonemap::iterator x = ServerInstance->Users->global_clones.begin(); x != ServerInstance->Users->global_clones.end(); x++) { if (x->second >= limit) - user->WriteServ(clonesstr + " "+ ConvToStr(x->second) + " " + assign(x->first)); + user->WriteServ(clonesstr + " "+ ConvToStr(x->second) + " " + x->first.str()); } user->WriteServ(clonesstr + " END"); diff --git a/src/modules/m_connectban.cpp b/src/modules/m_connectban.cpp index 735f3da99..276962b2d 100644 --- a/src/modules/m_connectban.cpp +++ b/src/modules/m_connectban.cpp @@ -81,7 +81,7 @@ class ModuleConnectBan : public Module break; } - irc::string mask = assign(irc::sockets::mask(u->client_sa, range)); + irc::sockets::cidr_mask mask(u->client_sa, range); i = connects.find(mask); if (i != connects.end()) @@ -91,15 +91,15 @@ class ModuleConnectBan : public Module if (i->second >= threshold) { // Create zline for set duration. - ZLine* zl = new ZLine(ServerInstance->Time(), banduration, ServerInstance->Config->ServerName.c_str(), "Connect flooding", mask.c_str()); + ZLine* zl = new ZLine(ServerInstance->Time(), banduration, ServerInstance->Config->ServerName.c_str(), "Connect flooding", mask.str().c_str()); if (ServerInstance->XLines->AddLine(zl,NULL)) ServerInstance->XLines->ApplyLines(); else delete zl; ServerInstance->SNO->WriteGlobalSno('x',"Module m_connectban added Z:line on *@%s to expire on %s: Connect flooding", - mask.c_str(), ServerInstance->TimeString(zl->expiry).c_str()); - ServerInstance->SNO->WriteGlobalSno('a', "Connect flooding from IP range %s (%d)", mask.c_str(), threshold); + mask.str().c_str(), ServerInstance->TimeString(zl->expiry).c_str()); + ServerInstance->SNO->WriteGlobalSno('a', "Connect flooding from IP range %s (%d)", mask.str().c_str(), threshold); connects.erase(i); } } diff --git a/src/modules/m_spanningtree/utils.cpp b/src/modules/m_spanningtree/utils.cpp index 723ff9352..da3417de9 100644 --- a/src/modules/m_spanningtree/utils.cpp +++ b/src/modules/m_spanningtree/utils.cpp @@ -29,34 +29,19 @@ ModResult ModuleSpanningTree::OnAcceptConnection(int newsock, ListenSocket* from if (from->bind_tag->getString("type") != "servers") return MOD_RES_PASSTHRU; - bool found = false; - int port; - std::string incomingip; - irc::sockets::satoap(*client, incomingip, port); + std::string incomingip = client->addr(); - found = (std::find(Utils->ValidIPs.begin(), Utils->ValidIPs.end(), incomingip) != Utils->ValidIPs.end()); - if (!found) + for (std::vector<std::string>::iterator i = Utils->ValidIPs.begin(); i != Utils->ValidIPs.end(); i++) { - for (std::vector<std::string>::iterator i = Utils->ValidIPs.begin(); i != Utils->ValidIPs.end(); i++) + if (*i == "*" || *i == incomingip || irc::sockets::cidr_mask(*i).match(*client)) { - if (*i == "*" || irc::sockets::MatchCIDR(incomingip, *i)) - { - found = true; - break; - } - } - - if (!found) - { - ServerInstance->SNO->WriteToSnoMask('l', "Server connection from %s denied (no link blocks with that IP address)", incomingip.c_str()); - return MOD_RES_DENY; + /* we don't need to do anything with the pointer, creating it stores it in the necessary places */ + new TreeSocket(Utils, newsock, from, client, server); + return MOD_RES_ALLOW; } } - - /* we don't need to do anything with the pointer, creating it stores it in the necessary places */ - - new TreeSocket(Utils, newsock, from, client, server); - return MOD_RES_ALLOW; + ServerInstance->SNO->WriteToSnoMask('l', "Server connection from %s denied (no link blocks with that IP address)", incomingip.c_str()); + return MOD_RES_DENY; } /** Yay for fast searches! diff --git a/src/socket.cpp b/src/socket.cpp index a92343d91..ef81542e1 100644 --- a/src/socket.cpp +++ b/src/socket.cpp @@ -11,8 +11,6 @@ * --------------------------------------------------- */ -/* $Core */ - #include "inspircd.h" #include "socket.h" #include "socketengine.h" @@ -203,59 +201,71 @@ bool irc::sockets::aptosa(const std::string& addr, int port, irc::sockets::socka return false; } -bool irc::sockets::satoap(const irc::sockets::sockaddrs& sa, std::string& addr, int &port) +int irc::sockets::sockaddrs::port() const +{ + if (sa.sa_family == AF_INET) + return ntohs(in4.sin_port); + if (sa.sa_family == AF_INET6) + return ntohs(in6.sin6_port); + return -1; +} + +std::string irc::sockets::sockaddrs::addr() const { char addrv[INET6_ADDRSTRLEN+1]; - if (sa.sa.sa_family == AF_INET) + if (sa.sa_family == AF_INET) { - if (!inet_ntop(AF_INET, &sa.in4.sin_addr, addrv, sizeof(addrv))) - return false; - addr = addrv; - port = ntohs(sa.in4.sin_port); - return true; + if (!inet_ntop(AF_INET, &in4.sin_addr, addrv, sizeof(addrv))) + return ""; + return addrv; } - else if (sa.sa.sa_family == AF_INET6) + else if (sa.sa_family == AF_INET6) { - if (!inet_ntop(AF_INET6, &sa.in6.sin6_addr, addrv, sizeof(addrv))) - return false; - addr = addrv; - port = ntohs(sa.in6.sin6_port); - return true; + if (!inet_ntop(AF_INET6, &in6.sin6_addr, addrv, sizeof(addrv))) + return ""; + return addrv; } - return false; + return ""; +} + +bool irc::sockets::satoap(const irc::sockets::sockaddrs& sa, std::string& addr, int &port) +{ + port = sa.port(); + addr = sa.addr(); + return !addr.empty(); } static const char all_zero[16] = {0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0 }; -std::string irc::sockets::satouser(const irc::sockets::sockaddrs& sa) +std::string irc::sockets::sockaddrs::str() const { char buffer[MAXBUF]; - if (sa.sa.sa_family == AF_INET) + if (sa.sa_family == AF_INET) { - if (sa.in4.sin_addr.s_addr == 0) + if (in4.sin_addr.s_addr == 0) { - sprintf(buffer, "*:%u", ntohs(sa.in4.sin_port)); + sprintf(buffer, "*:%u", ntohs(in4.sin_port)); } else { - const uint8_t* bits = reinterpret_cast<const uint8_t*>(&sa.in4.sin_addr); - sprintf(buffer, "%d.%d.%d.%d:%u", bits[0], bits[1], bits[2], bits[3], ntohs(sa.in4.sin_port)); + const uint8_t* bits = reinterpret_cast<const uint8_t*>(&in4.sin_addr); + sprintf(buffer, "%d.%d.%d.%d:%u", bits[0], bits[1], bits[2], bits[3], ntohs(in4.sin_port)); } } - else if (sa.sa.sa_family == AF_INET6) + else if (sa.sa_family == AF_INET6) { - if (!memcmp(all_zero, &sa.in6.sin6_addr, 16)) + if (!memcmp(all_zero, &in6.sin6_addr, 16)) { - sprintf(buffer, "*:%u", ntohs(sa.in6.sin6_port)); + sprintf(buffer, "*:%u", ntohs(in6.sin6_port)); } else { buffer[0] = '['; - if (!inet_ntop(AF_INET6, &sa.in6.sin6_addr, buffer+1, MAXBUF - 10)) + if (!inet_ntop(AF_INET6, &in6.sin6_addr, buffer+1, MAXBUF - 10)) return "<unknown>"; // should never happen, buffer is large enough int len = strlen(buffer); // no need for snprintf, buffer has at least 9 chars left, max short len = 5 - sprintf(buffer + len, "]:%u", ntohs(sa.in6.sin6_port)); + sprintf(buffer + len, "]:%u", ntohs(in6.sin6_port)); } } else @@ -263,41 +273,112 @@ std::string irc::sockets::satouser(const irc::sockets::sockaddrs& sa) return std::string(buffer); } -int irc::sockets::sa_size(const irc::sockets::sockaddrs& sa) +int irc::sockets::sockaddrs::sa_size() const { - if (sa.sa.sa_family == AF_INET) - return sizeof(sa.in4); - if (sa.sa.sa_family == AF_INET6) - return sizeof(sa.in6); + if (sa.sa_family == AF_INET) + return sizeof(in4); + if (sa.sa_family == AF_INET6) + return sizeof(in6); return 0; } -std::string irc::sockets::mask(irc::sockets::sockaddrs sa, unsigned int range) +static void sa2cidr(const irc::sockets::sockaddrs& sa, irc::sockets::cidr_mask& cidr, int range) { + const unsigned char* base; + cidr.type = sa.sa.sa_family; + if (cidr.type == AF_INET) + { + base = (unsigned char*)&sa.in4.sin_addr; + if (range > 32) + range = 32; + } + else if (cidr.type == AF_INET6) + { + base = (unsigned char*)&sa.in6.sin6_addr; + if (range > 128) + range = 128; + } + else + { + base = (unsigned char*)""; + range = 0; + } + cidr.length = range; + unsigned int border = range / 8; + unsigned int bitmask = (0xFF00 >> (range & 7)) & 0xFF; + for(unsigned int i=0; i < 16; i++) + { + if (i < border) + cidr.bits[i] = base[i]; + else if (i == border) + cidr.bits[i] = base[i] & bitmask; + else + cidr.bits[i] = 0; + } +} + +irc::sockets::cidr_mask::cidr_mask(const irc::sockets::sockaddrs& sa, int range) +{ + sa2cidr(sa, *this, range); +} + +irc::sockets::cidr_mask::cidr_mask(const std::string& mask) +{ + std::string::size_type bits_chars = mask.rfind('/'); + irc::sockets::sockaddrs sa; + + if (bits_chars == std::string::npos) + { + irc::sockets::aptosa(mask, 0, sa); + sa2cidr(sa, *this, 128); + } + else + { + int range = atoi(mask.substr(bits_chars + 1).c_str()); + irc::sockets::aptosa(mask.substr(0, bits_chars), 0, sa); + sa2cidr(sa, *this, range); + } +} + +std::string irc::sockets::cidr_mask::str() const +{ + irc::sockets::sockaddrs sa; + sa.sa.sa_family = type; unsigned char* base; - unsigned int len; - if (sa.sa.sa_family == AF_INET) + int len; + if (type == AF_INET) { base = (unsigned char*)&sa.in4.sin_addr; len = 4; } - else if (sa.sa.sa_family == AF_INET6) + else if (type == AF_INET6) { base = (unsigned char*)&sa.in6.sin6_addr; len = 16; } else return ""; - if (range > 8*len) - range = 8*len; - unsigned int byte = range / 8; - unsigned int bits = (-1 << (range & 7)); - base[byte++] &= bits; - while (byte < len) - base[byte++] = 0; - int dummy; - std::string rv; - irc::sockets::satoap(sa, rv, dummy); - return rv + "/" + ConvToStr(range); + memcpy(base, bits, len); + return sa.addr() + "/" + ConvToStr(length); +} + +bool irc::sockets::cidr_mask::operator==(const cidr_mask& other) const +{ + return type == other.type && length == other.length && + 0 == memcmp(bits, other.bits, 16); +} + +bool irc::sockets::cidr_mask::operator<(const cidr_mask& other) const +{ + return type < other.type || length < other.length || + memcmp(bits, other.bits, 16) < 0; +} + +bool irc::sockets::cidr_mask::match(const irc::sockets::sockaddrs& addr) const +{ + if (addr.sa.sa_family != type) + return false; + irc::sockets::cidr_mask tmp(addr, length); + return tmp == *this; } diff --git a/src/usermanager.cpp b/src/usermanager.cpp index 577d52f67..06d6ad1cd 100644 --- a/src/usermanager.cpp +++ b/src/usermanager.cpp @@ -11,8 +11,6 @@ * --------------------------------------------------- */ -/* $Core */ - #include "inspircd.h" #include "xline.h" #include "bancache.h" diff --git a/src/users.cpp b/src/users.cpp index 424484b8c..cf2d11a0a 100644 --- a/src/users.cpp +++ b/src/users.cpp @@ -965,7 +965,7 @@ const char* User::GetIPString() return cachedip.c_str(); } -irc::string User::GetCIDRMask() +irc::sockets::cidr_mask User::GetCIDRMask() { int range = 0; switch (client_sa.sa.sa_family) @@ -977,7 +977,7 @@ irc::string User::GetCIDRMask() range = ServerInstance->Config->c_ipv4_range; break; } - return assign(irc::sockets::mask(client_sa, range)); + return irc::sockets::cidr_mask(client_sa, range); } bool User::SetClientIP(const char* sip) |