1 /* mod-sockcheck.c - insecure proxy checking
2 * Copyright 2000-2004 srvx Development Team
4 * This file is part of srvx.
6 * srvx is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with srvx; if not, write to the Free Software Foundation,
18 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
27 #ifdef HAVE_SYS_SOCKET_H
28 #include <sys/socket.h>
30 #ifdef HAVE_NETINET_IN_H
31 #include <netinet/in.h>
33 #ifdef HAVE_ARPA_INET_H
34 #include <arpa/inet.h>
37 /* TODO, 1.3 or later: allow rules like "27374:" "reject:Subseven detected";
38 * (For convenience; right now it assumes that there will be a state
39 * rather than an immediate response upon connection.)
42 #if !defined(SOCKCHECK_DEBUG)
43 #define SOCKCHECK_DEBUG 0
45 #define SOCKCHECK_TEST_DB "sockcheck.conf"
47 enum sockcheck_decision {
54 enum sockcheck_decision decision;
59 } *sockcheck_cache_info;
61 DECLARE_LIST(sci_list, sockcheck_cache_info);
62 DEFINE_LIST(sci_list, sockcheck_cache_info)
64 /* Here's the list of hosts that need to be started on.
66 static struct sci_list pending_sci_list;
68 /* Map of previously checked IPs state (if we've accepted the address yet).
69 * The data for each entry is a pointer to a sockcheck_cache_info.
71 static dict_t checked_ip_dict;
73 /* Each sockcheck template is formed as a Mealy state machine (that is,
74 * the output on a state transition is a function of both the current
75 * state and the input). Mealy state machines require fewer states to
76 * match the same input than Moore machines (where the output is only
77 * a function of the current state).
79 * A state is characterized by sending some data (possibly nothing),
80 * waiting a certain amount of time to receive one of zero or more
81 * responses, and a decision (accept, reject, continue to another
82 * state) based on the received response.
85 struct sockcheck_response {
87 struct sockcheck_state *next;
90 DECLARE_LIST(response_list, struct sockcheck_response *);
91 DEFINE_LIST(response_list, struct sockcheck_response *)
92 static unsigned int max_responses;
94 struct sockcheck_state {
96 unsigned short timeout;
98 enum sockcheck_decision type;
100 struct response_list responses;
103 struct sockcheck_list {
104 unsigned int size, used, refs;
105 struct sockcheck_state **list;
111 static struct sockcheck_list *tests;
113 /* Stuff to track client state, one instance per open connection. */
114 struct sockcheck_client {
116 struct sockcheck_list *tests;
117 sockcheck_cache_info addr;
118 unsigned int client_index;
119 unsigned int test_index;
120 unsigned short test_rep;
121 struct sockcheck_state *state;
122 unsigned int read_size, read_used, read_pos;
124 const char **resp_state;
128 unsigned int max_clients;
129 unsigned int max_read;
130 unsigned int gline_duration;
131 unsigned int max_cache_age;
132 struct sockaddr_in *local_addr;
136 static unsigned int sockcheck_num_clients;
137 static struct sockcheck_client **client_list;
138 static unsigned int proxies_detected, checked_ip_count;
139 static struct module *sockcheck_module;
140 static struct log_type *PC_LOG;
141 const char *sockcheck_module_deps[] = { NULL };
143 static const struct message_entry msgtab[] = {
144 { "PCMSG_PROXY_DEFINITION_FAILED", "Proxy definition failed: %s" },
145 { "PCMSG_PROXY_DEFINITION_SUCCEEDED", "New proxy type defined." },
146 { "PCMSG_UNSCANNABLE_IP", "%s has a spoofed, hidden or localnet IP." },
147 { "PCMSG_ADDRESS_QUEUED", "$b%s$b is now queued to be proxy-checked." },
148 { "PCMSG_ADDRESS_UNRESOLVED", "Unable to resolve $b%s$b to an IP address." },
149 { "PCMSG_CHECKING_ADDRESS", "$b%s$b is currently being checked; unable to clear it." },
150 { "PCMSG_NOT_REMOVED_FROM_CACHE", "$b%s$b was not cached and therefore was not cleared." },
151 { "PCMSG_REMOVED_FROM_CACHE", "$b%s$b was cleared from the cached hosts list." },
152 { "PCMSG_DISABLED", "Proxy scanning is $bdisabled$b." },
153 { "PCMSG_NOT_CACHED", "No proxycheck records exist for IP %s." },
154 { "PCMSG_STATUS_CHECKING", "IP %s proxycheck state: last touched %s ago, still checking" },
155 { "PCMSG_STATUS_ACCEPTED", "IP %s proxycheck state: last touched %s ago, acepted" },
156 { "PCMSG_STATUS_REJECTED", "IP %s proxycheck state: last touched %s ago, rejected: %s" },
157 { "PCMSG_STATUS_UNKNOWN", "IP %s proxycheck state: last touched %s ago, invalid status" },
158 { "PCMSG_STATISTICS", "Since booting, I have checked %d clients for illicit proxies, and detected %d proxy hosts.\nI am currently checking %d clients (out of %d max) and have a backlog of %d more to start on.\nI currently have %d hosts cached.\nI know how to detect %d kinds of proxies." },
162 static struct sockcheck_list *
163 sockcheck_list_alloc(unsigned int size)
165 struct sockcheck_list *list = malloc(sizeof(*list));
169 list->list = malloc(list->size*sizeof(list->list[0]));
174 sockcheck_list_append(struct sockcheck_list *list, struct sockcheck_state *new_item)
176 if (list->used == list->size) {
178 list->list = realloc(list->list, list->size*sizeof(list->list[0]));
180 list->list[list->used++] = new_item;
183 static struct sockcheck_list *
184 sockcheck_list_clone(struct sockcheck_list *old_list)
186 struct sockcheck_list *new_list = malloc(sizeof(*new_list));
187 new_list->used = old_list->used;
189 new_list->size = old_list->size;
190 new_list->list = malloc(new_list->size*sizeof(new_list->list[0]));
191 memcpy(new_list->list, old_list->list, new_list->used*sizeof(new_list->list[0]));
196 sockcheck_list_unref(struct sockcheck_list *list)
198 if (!list || --list->refs > 0) return;
204 sockcheck_issue_gline(sockcheck_cache_info sci)
206 char *target = alloca(3+strlen(sci->hostname));
207 strcpy(target, "*@");
208 strcpy(target+2, sci->hostname);
209 log_module(PC_LOG, LOG_INFO, "Issuing gline for client at IP %s hostname %s: %s", inet_ntoa(sci->addr), sci->hostname, sci->reason);
210 gline_add("ProxyCheck", target, sockcheck_conf.gline_duration, sci->reason, now, 1);
213 static struct sockcheck_client *
214 sockcheck_alloc_client(sockcheck_cache_info sci)
216 struct sockcheck_client *client;
217 client = calloc(1, sizeof(*client));
218 client->tests = tests;
219 client->tests->refs++;
221 client->read_size = sockcheck_conf.max_read;
222 client->read = malloc(client->read_size);
223 client->resp_state = malloc(max_responses * sizeof(client->resp_state[0]));
228 sockcheck_free_client(struct sockcheck_client *client)
230 if (SOCKCHECK_DEBUG) {
231 log_module(PC_LOG, LOG_INFO, "Goodbye %s (%p)! I set you free!", client->addr->hostname, client);
233 if (client->fd) ioset_close(client->fd->fd, 1);
234 sockcheck_list_unref(client->tests);
236 free(client->resp_state);
240 static void sockcheck_start_client(unsigned int idx);
241 static void sockcheck_begin_test(struct sockcheck_client *client);
242 static void sockcheck_advance(struct sockcheck_client *client, unsigned int next_state);
245 sockcheck_timeout_client(void *data)
247 struct sockcheck_client *client = data;
248 if (SOCKCHECK_DEBUG) {
249 log_module(PC_LOG, LOG_INFO, "Client %s timed out.", client->addr->hostname);
251 sockcheck_advance(client, client->state->responses.used-1);
255 sockcheck_print_client(const struct sockcheck_client *client)
257 static const char *decs[] = {"CHECKING", "ACCEPT", "REJECT"};
258 log_module(PC_LOG, LOG_INFO, "client %p: { addr = %p { decision = %s; last_touched = "FMT_TIME_T"; reason = %s; hostname = \"%s\" }; "
259 "test_index = %d; state = %p { port = %d; type = %s; template = \"%s\"; ... }; "
260 "fd = %p(%d); read = %p; read_size = %d; read_used = %d; read_pos = %d; }",
261 client, client->addr, decs[client->addr->decision], client->addr->last_touched, client->addr->reason, client->addr->hostname,
262 client->test_index, client->state,
263 (client->state ? client->state->port : 0),
264 (client->state ? decs[client->state->type] : "N/A"),
265 (client->state ? client->state->template : "N/A"),
266 client->fd, (client->fd ? client->fd->fd : 0),
267 client->read, client->read_size, client->read_used, client->read_pos);
270 static char hexvals[256] = {
271 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0 */
272 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 16 */
273 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 32 */
274 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, /* 48 */
275 0,10,11,12,13,14,15, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 64 */
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 80 */
277 0,10,11,12,13,14,15, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 96 */
278 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 /* 112 */
282 expand_var(const struct sockcheck_client *client, char var, char **p_expansion, unsigned int *p_exp_length)
284 extern struct cManagerNode cManager;
285 const char *expansion;
286 unsigned int exp_length;
294 /* expand variable */
297 expansion = client->addr->hostname;
298 exp_length = strlen(expansion);
301 exp4 = client->addr->addr.s_addr;
302 exp_length = sizeof(exp4);
303 expansion = (char*)&exp4;
306 exp2 = htons(client->state->port);
307 exp_length = sizeof(exp2);
308 expansion = (char*)&exp2;
311 expansion = cManager.uplink->host;
312 exp_length = strlen(expansion);
315 log_module(PC_LOG, LOG_WARNING, "Request to expand unknown sockcheck variable $%c, using empty expansion.", var);
320 *p_expansion = malloc(exp_length);
321 memcpy(*p_expansion, expansion, exp_length);
324 *p_exp_length = exp_length;
329 sockcheck_check_template(const char *template, int is_input)
332 if (is_input && !strcmp(template, "other")) return 1;
333 for (nn=0; template[nn]; nn += 2) {
334 switch (template[nn]) {
336 if (!template[nn+1]) {
337 log_module(MAIN_LOG, LOG_ERROR, "ProxyCheck template %s had = at end of template; needs a second character.", template);
342 switch (template[nn+1]) {
343 case 'c': case 'i': case 'p': case 'u': break;
345 log_module(MAIN_LOG, LOG_ERROR, "ProxyCheck template %s refers to unknown variable %c (pos %d).", template, template[nn+1], nn);
351 log_module(MAIN_LOG, LOG_ERROR, "ProxyCheck template %s: . is only valid in input templates.", template);
354 if (template[nn+1] != '.') {
355 log_module(MAIN_LOG, LOG_ERROR, "ProxyCheck template %s expects .. to come in twos (pos %d).", template, nn);
359 case '0': case '1': case '2': case '3': case '4':
360 case '5': case '6': case '7': case '8': case '9':
361 case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
362 case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
363 if (!hexvals[(unsigned char)template[nn+1]] && (template[nn+1] != '0')) {
364 log_module(MAIN_LOG, LOG_ERROR, "ProxyCheck template %s expects hex characters to come in twos (pos %d).", template, nn);
369 log_module(MAIN_LOG, LOG_ERROR, "ProxyCheck template %s: unrecognized character '%c' (pos %d).", template, template[nn], nn);
377 sockcheck_elaborate_state(struct sockcheck_client *client)
379 const char *template;
382 for (template = client->state->template, nn = 0; template[nn]; nn += 2) {
383 switch (template[nn]) {
384 case '=': ioset_write(client->fd, template+nn+1, 1); break;
385 case '0': case '1': case '2': case '3': case '4':
386 case '5': case '6': case '7': case '8': case '9':
387 case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
388 case 'A': case 'B': case 'C': case 'D': case 'E': case 'F': {
389 char ch = hexvals[(unsigned char)template[nn]] << 4
390 | hexvals[(unsigned char)template[nn+1]];
391 ioset_write(client->fd, &ch, 1);
396 unsigned int exp_length;
397 expand_var(client, template[nn+1], &expansion, &exp_length);
398 ioset_write(client->fd, expansion, exp_length);
404 for (nn=0; nn<client->state->responses.used; nn++) {
405 /* Set their resp_state to the start of the response. */
406 client->resp_state[nn] = client->state->responses.list[nn]->template;
407 /* If it doesn't require reading, take it now. */
408 if (client->resp_state[nn] && !*client->resp_state[nn]) {
409 if (SOCKCHECK_DEBUG) {
410 log_module(PC_LOG, LOG_INFO, "Skipping straight to easy option %d for %p.", nn, client);
412 sockcheck_advance(client, nn);
416 timeq_add(now + client->state->timeout, sockcheck_timeout_client, client);
417 if (SOCKCHECK_DEBUG) {
418 log_module(PC_LOG, LOG_INFO, "Elaborated state for %s:", client->addr->hostname);
419 sockcheck_print_client(client);
424 sockcheck_decide(struct sockcheck_client *client, enum sockcheck_decision decision)
429 client->addr->decision = decision;
430 client->addr->last_touched = now;
434 if (SOCKCHECK_DEBUG) {
435 log_module(PC_LOG, LOG_INFO, "Proxy check passed for client at IP %s hostname %s.", inet_ntoa(client->addr->addr), client->addr->hostname);
439 client->addr->reason = client->state->template;
441 sockcheck_issue_gline(client->addr);
442 if (SOCKCHECK_DEBUG) {
443 log_module(PC_LOG, LOG_INFO, "Proxy check rejects client at IP %s hostname %s (%s)", inet_ntoa(client->addr->addr), client->addr->hostname, client->addr->reason);
445 /* Don't compare test_index != 0 directly, because somebody
446 * else may have reordered the tests already. */
447 if (client->tests->list[client->test_index] != tests->list[0]) {
448 struct sockcheck_list *new_tests = sockcheck_list_clone(tests);
449 struct sockcheck_state *new_first = client->tests->list[client->test_index];
450 for (n=0; (n<tests->used) && (tests->list[n] != new_first); n++) ;
451 for (; n>0; n--) new_tests->list[n] = new_tests->list[n-1];
452 new_tests->list[0] = new_first;
453 sockcheck_list_unref(tests);
458 log_module(PC_LOG, LOG_ERROR, "BUG: sockcheck_decide(\"%s\", %d): unrecognized decision.", client->addr->hostname, decision);
460 n = client->client_index;
461 sockcheck_free_client(client);
462 if ((--sockcheck_num_clients < sockcheck_conf.max_clients)
463 && (pending_sci_list.used > 0)) {
464 sockcheck_start_client(n);
471 sockcheck_advance(struct sockcheck_client *client, unsigned int next_state)
473 struct sockcheck_state *ns;
475 timeq_del(0, sockcheck_timeout_client, client, TIMEQ_IGNORE_WHEN);
476 if (SOCKCHECK_DEBUG) {
479 static const char *hexmap = "0123456789ABCDEF";
480 log_module(PC_LOG, LOG_INFO, "sockcheck_advance(%s) following response %d (type %d) of %d.", client->addr->hostname, next_state, client->state->responses.list[next_state]->next->type, client->state->responses.used);
481 for (n=0; n<client->read_used; n++) {
482 for (m=0; (m<(sizeof(buffer)-1)>>1) && ((n+m) < client->read_used); m++) {
483 buffer[m << 1] = hexmap[client->read[n+m] >> 4];
484 buffer[m << 1 | 1] = hexmap[client->read[n+m] & 15];
487 log_module(PC_LOG, LOG_INFO, " .. read data: %s", buffer);
490 sockcheck_print_client(client);
493 ns = client->state = client->state->responses.list[next_state]->next;
496 sockcheck_elaborate_state(client);
499 sockcheck_decide(client, REJECT);
502 if (++client->test_rep < client->tests->list[client->test_index]->reps) {
503 sockcheck_begin_test(client);
504 } else if (++client->test_index < client->tests->used) {
505 client->test_rep = 0;
506 sockcheck_begin_test(client);
508 sockcheck_decide(client, ACCEPT);
512 log_module(PC_LOG, LOG_ERROR, "BUG: unknown next-state type %d (after %p).", ns->type, client->state);
518 sockcheck_readable(struct io_fd *fd)
520 /* read what we can from the fd */
521 struct sockcheck_client *client = fd->data;
525 res = read(fd->fd, client->read + client->read_used, client->read_size - client->read_used);
527 switch (res = errno) {
529 log_module(PC_LOG, LOG_ERROR, "BUG: sockcheck_readable(%d/%s): read() returned errno %d (%s)", fd->fd, client->addr->hostname, errno, strerror(errno));
533 sockcheck_advance(client, client->state->responses.used - 1);
536 } else if (res == 0) {
537 sockcheck_advance(client, client->state->responses.used - 1);
540 client->read_used += res;
542 if (SOCKCHECK_DEBUG) {
545 static const char *hexmap = "0123456789ABCDEF";
546 for (n=0; n<client->read_used; n++) {
547 for (m=0; (m<(sizeof(buffer)-1)>>1) && ((n+m) < client->read_used); m++) {
548 buffer[m << 1] = hexmap[client->read[n+m] >> 4];
549 buffer[m << 1 | 1] = hexmap[client->read[n+m] & 15];
552 log_module(PC_LOG, LOG_INFO, "read %d bytes data: %s", client->read_used, buffer);
557 /* See if what's been read matches any of the expected responses */
558 while (client->read_pos < client->read_used) {
559 unsigned int last_pos = client->read_pos;
561 const char *resp_state;
563 for (nn=0; nn<(client->state->responses.used-1); nn++) {
565 unsigned int exp_length = 1, free_exp = 0;
566 /* compare against possible target */
567 resp_state = client->resp_state[nn];
568 if (resp_state == NULL) continue;
569 switch (*resp_state) {
571 bleh = resp_state[1];
575 /* any character passes */
579 case '0': case '1': case '2': case '3': case '4':
580 case '5': case '6': case '7': case '8': case '9':
581 case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
582 case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
583 bleh = hexvals[(unsigned char)resp_state[0]] << 4
584 | hexvals[(unsigned char)resp_state[1]];
588 expand_var(client, resp_state[1], &expected, &exp_length);
592 if (client->read_pos+exp_length <= client->read_used) {
593 if (exp_length && memcmp(client->read+client->read_pos, expected, exp_length)) {
596 client->read_pos += exp_length;
599 /* can't check the variable yet, so come back later */
602 if (free_exp) free(expected);
604 client->resp_state[nn] = resp_state = resp_state + 2;
606 sockcheck_advance(client, nn);
610 client->resp_state[nn] = NULL;
613 if (last_pos == client->read_pos) break;
616 /* nothing seemed to match. what now? */
617 if (client->read_used >= client->read_size) {
618 /* we got more data than we expected to get .. don't read any more */
619 if (SOCKCHECK_DEBUG) {
620 log_module(PC_LOG, LOG_INFO, "Buffer filled (unmatched) for client %s", client->addr->hostname);
622 sockcheck_advance(client, client->state->responses.used-1);
628 sockcheck_connected(struct io_fd *fd, int rc)
630 struct sockcheck_client *client = fd->data;
634 log_module(PC_LOG, LOG_ERROR, "BUG: connect() got error %d (%s) for client at %s.", rc, strerror(rc), client->addr->hostname);
638 if (SOCKCHECK_DEBUG) {
639 log_module(PC_LOG, LOG_INFO, "Client %s gave us errno %d (%s)", client->addr->hostname, rc, strerror(rc));
641 sockcheck_advance(client, client->state->responses.used-1);
646 if (SOCKCHECK_DEBUG) {
647 log_module(PC_LOG, LOG_INFO, "Connected: to %s port %d.", client->addr->hostname, client->state->port);
649 sockcheck_elaborate_state(client);
653 sockcheck_begin_test(struct sockcheck_client *client)
658 ioset_close(client->fd->fd, 1);
662 client->state = client->tests->list[client->test_index];
663 client->read_pos = 0;
664 client->read_used = 0;
665 client->fd = io_fd = ioset_connect((struct sockaddr*)sockcheck_conf.local_addr, sizeof(struct sockaddr), client->addr->hostname, client->state->port, 0, client, sockcheck_connected);
667 client->test_index++;
670 io_fd->readable_cb = sockcheck_readable;
671 timeq_add(now + client->state->timeout, sockcheck_timeout_client, client);
672 if (SOCKCHECK_DEBUG) {
673 log_module(PC_LOG, LOG_INFO, "Starting proxy check on %s:%d (test %d) with fd %d (%p).", client->addr->hostname, client->state->port, client->test_index, io_fd->fd, io_fd);
676 } while (client->test_index < client->tests->used);
677 /* Ran out of tests to run; accept this client. */
678 sockcheck_decide(client, ACCEPT);
682 sockcheck_start_client(unsigned int idx)
684 sockcheck_cache_info sci;
685 struct sockcheck_client *client;
687 if (pending_sci_list.used == 0) return;
688 if (!(sci = pending_sci_list.list[0])) {
689 log_module(PC_LOG, LOG_ERROR, "BUG: sockcheck_start_client(%d) found null pointer in pending_sci_list.", idx);
692 memmove(pending_sci_list.list, pending_sci_list.list+1,
693 (--pending_sci_list.used)*sizeof(pending_sci_list.list[0]));
694 sockcheck_num_clients++;
696 client = client_list[idx] = sockcheck_alloc_client(sci);
697 log_module(PC_LOG, LOG_INFO, "Proxy-checking client at %s (%s) as client %d (%p) of %d.", inet_ntoa(sci->addr), sci->hostname, idx, client, sockcheck_num_clients);
698 client->test_rep = 0;
699 client->client_index = idx;
700 sockcheck_begin_test(client);
704 sockcheck_queue_address(struct in_addr addr)
706 sockcheck_cache_info sci;
707 char *ipstr=inet_ntoa(addr);
709 sci = dict_find(checked_ip_dict, ipstr, NULL);
711 switch (sci->decision) {
713 /* We are already checking this host. */
716 if ((sci->last_touched + sockcheck_conf.max_cache_age) >= (unsigned)now) return;
719 if ((sci->last_touched + sockcheck_conf.gline_duration) >= (unsigned)now) {
720 sockcheck_issue_gline(sci);
725 dict_remove(checked_ip_dict, sci->hostname);
727 sci = calloc(1, sizeof(*sci));
728 sci->decision = CHECKING;
729 sci->last_touched = now;
732 strncpy(sci->hostname, ipstr, sizeof(sci->hostname));
733 dict_insert(checked_ip_dict, sci->hostname, sci);
734 sci_list_append(&pending_sci_list, sci);
735 if (sockcheck_num_clients < sockcheck_conf.max_clients)
736 sockcheck_start_client(sockcheck_num_clients);
740 sockcheck_uncache_host(const char *name)
742 sockcheck_cache_info sci;
743 if ((sci = dict_find(checked_ip_dict, name, NULL))
744 && (sci->decision == CHECKING)) {
747 return dict_remove(checked_ip_dict, name);
751 sockcheck_create_response(const char *key, void *data, void *extra)
753 const char *str, *end;
754 struct record_data *rd = data;
755 struct sockcheck_state *parent = extra;
756 struct sockcheck_response *resp;
760 /* allocate memory and tack it onto parent->responses */
761 resp = malloc(sizeof(*resp));
762 for (end = key; *end != ':' && *end != 0; end += 2 && end) ;
763 templ = malloc(end - key + 1);
764 memcpy(templ, key, end - key);
765 templ[end - key] = 0;
766 resp->template = templ;
767 if (!sockcheck_check_template(resp->template, 1)) _exit(1);
768 resp->next = malloc(sizeof(*resp->next));
769 resp->next->port = parent->port;
770 response_list_append(&parent->responses, resp);
771 /* now figure out how to create resp->next */
772 if ((str = GET_RECORD_QSTRING(rd))) {
773 if (!ircncasecmp(str, "reject", 6)) {
774 resp->next->type = REJECT;
775 } else if (!ircncasecmp(str, "accept", 6)) {
776 resp->next->type = ACCEPT;
778 log_module(PC_LOG, LOG_ERROR, "Error: unknown sockcheck decision `%s', defaulting to accept.", str);
779 resp->next->type = ACCEPT;
782 resp->next->template = strdup(str+7);
784 resp->next->template = strdup("No explanation given");
786 } else if ((resps = GET_RECORD_OBJECT(rd))) {
787 resp->next->type = CHECKING;
788 response_list_init(&resp->next->responses);
790 resp->next->template = strdup(end+1);
791 if (!sockcheck_check_template(resp->next->template, 0)) _exit(1);
793 resp->next->template = strdup("");
795 dict_foreach(resps, sockcheck_create_response, resp->next);
800 /* key: PORT:send-pattern, as in keys of sockcheck.conf.example
801 * data: recdb record_data containing response
802 * extra: struct sockcheck_list* to append test to
805 sockcheck_create_test(const char *key, void *data, void *extra)
808 struct record_data *rd;
810 struct sockcheck_state *new_test;
814 new_test = malloc(sizeof(*new_test));
815 new_test->template = NULL;
817 new_test->port = strtoul(key, &end, 0);
818 new_test->timeout = 5;
819 new_test->type = CHECKING;
820 response_list_init(&new_test->responses);
821 if (!(object = GET_RECORD_OBJECT(rd))) {
822 log_module(PC_LOG, LOG_ERROR, "Error: misformed sockcheck test `%s', skipping it.", key);
828 case '@': new_test->timeout = strtoul(end+1, &end, 0); break;
829 case '*': new_test->reps = strtoul(end+1, &end, 0); break;
831 new_test->template = strdup(end+1);
833 if (!sockcheck_check_template(new_test->template, 0)) _exit(1);
836 log_module(PC_LOG, LOG_ERROR, "Error: misformed sockcheck test `%s', skipping it.", key);
841 if (!new_test->template) {
842 log_module(PC_LOG, LOG_ERROR, "Error: misformed sockcheck test `%s', skipping it.", key);
846 dict_foreach(object, sockcheck_create_response, new_test);
847 /* If none of the responses have template "other", create a
848 * default response that goes to accept. */
849 for (n=0; n<new_test->responses.used; n++) {
850 if (!strcmp(new_test->responses.list[n]->template, "other")) break;
852 if (n == new_test->responses.used) {
853 rd = alloc_record_data_qstring("accept");
854 sockcheck_create_response("other", rd, new_test);
855 free_record_data(rd);
856 } else if (n != (new_test->responses.used - 1)) {
857 struct sockcheck_response *tmp;
858 /* switch the response for "other" to the end */
859 tmp = new_test->responses.list[new_test->responses.used - 1];
860 new_test->responses.list[new_test->responses.used - 1] = new_test->responses.list[n];
861 new_test->responses.list[n] = tmp;
863 if (new_test->responses.used > max_responses) {
864 max_responses = new_test->responses.used;
866 sockcheck_list_append(extra, new_test);
871 sockcheck_read_tests(void)
874 struct sockcheck_list *new_tests;
875 test_db = parse_database(SOCKCHECK_TEST_DB);
878 if (dict_size(test_db) > 0) {
879 new_tests = sockcheck_list_alloc(dict_size(test_db));
880 dict_foreach(test_db, sockcheck_create_test, new_tests);
881 if (tests) sockcheck_list_unref(tests);
884 log_module(PC_LOG, LOG_ERROR, "%s was empty - disabling sockcheck.", SOCKCHECK_TEST_DB);
886 free_database(test_db);
890 sockcheck_free_state(struct sockcheck_state *state)
893 if (state->type == CHECKING) {
894 for (n=0; n<state->responses.used; n++) {
895 free((char*)state->responses.list[n]->template);
896 sockcheck_free_state(state->responses.list[n]->next);
897 free(state->responses.list[n]);
899 response_list_clean(&state->responses);
901 free((char*)state->template);
906 sockcheck_add_test(const char *desc)
908 struct sockcheck_list *new_tests;
911 struct record_data *rd;
913 if ((reason = parse_record(desc, &name, &rd)))
915 new_tests = sockcheck_list_clone(tests);
916 if (sockcheck_create_test(name, rd, new_tests)) {
917 sockcheck_list_unref(new_tests);
918 return "Sockcheck test parse error";
920 sockcheck_list_unref(tests);
926 sockcheck_shutdown(void)
931 for (n=0; n<sockcheck_conf.max_clients; n++) {
933 sockcheck_free_client(client_list[n]);
937 sockcheck_num_clients = 0;
938 dict_delete(checked_ip_dict);
939 sci_list_clean(&pending_sci_list);
941 for (n=0; n<tests->used; n++)
942 sockcheck_free_state(tests->list[n]);
943 sockcheck_list_unref(tests);
944 if (sockcheck_conf.local_addr) {
945 free(sockcheck_conf.local_addr);
946 sockcheck_conf.local_addr_len = 0;
951 sockcheck_clean_cache(UNUSED_ARG(void *data))
954 dict_iterator_t it, next;
955 sockcheck_cache_info sci;
959 if (SOCKCHECK_DEBUG) {
960 struct string_buffer sb;
961 string_buffer_init(&sb);
962 /* Remember which clients we're still checking; we're not allowed to remove them. */
963 for (curr_clients = dict_new(), nn=0; nn < sockcheck_conf.max_clients; nn++) {
964 if (!client_list[nn])
966 dict_insert(curr_clients, client_list[nn]->addr->hostname, client_list[nn]);
967 string_buffer_append(&sb, ' ');
968 string_buffer_append_string(&sb, client_list[nn]->addr->hostname);
970 string_buffer_append(&sb, '\0');
971 log_module(PC_LOG, LOG_INFO, "Cleaning sockcheck cache at "FMT_TIME_T"; current clients: %s.", now, sb.list);
972 string_buffer_clean(&sb);
974 for (curr_clients = dict_new(), nn=0; nn < sockcheck_conf.max_clients; nn++) {
975 if (!client_list[nn])
977 dict_insert(curr_clients, client_list[nn]->addr->hostname, client_list[nn]);
981 for (it=dict_first(checked_ip_dict); it; it=next) {
982 next = iter_next(it);
984 max_age = (sci->decision == REJECT) ? sockcheck_conf.gline_duration : sockcheck_conf.max_cache_age;
985 if (((sci->last_touched + max_age) < now)
986 && !dict_find(curr_clients, sci->hostname, NULL)) {
987 if (SOCKCHECK_DEBUG) {
988 log_module(PC_LOG, LOG_INFO, " .. nuking %s (last touched "FMT_TIME_T").", sci->hostname, sci->last_touched);
990 dict_remove(checked_ip_dict, sci->hostname);
993 dict_delete(curr_clients);
994 timeq_add(now+sockcheck_conf.max_cache_age, sockcheck_clean_cache, 0);
997 static MODCMD_FUNC(cmd_defproxy)
1001 if ((reason = sockcheck_add_test(unsplit_string(argv+1, argc-1, NULL)))) {
1002 reply("PCMSG_PROXY_DEFINITION_FAILED", reason);
1005 reply("PCMSG_PROXY_DEFINITION_SUCCEEDED");
1009 static MODCMD_FUNC(cmd_hostscan)
1013 struct in_addr ipaddr;
1016 for (n=1; n<argc; n++) {
1017 struct userNode *un = GetUserH(argv[n]);
1020 if ((un->ip.s_addr == 0) || (ntohl(un->ip.s_addr) == INADDR_LOOPBACK)) {
1021 reply("PCMSG_UNSCANNABLE_IP", un->nick);
1023 strcpy(hnamebuf, inet_ntoa(un->ip));
1024 sockcheck_queue_address(un->ip);
1025 reply("PCMSG_ADDRESS_QUEUED", hnamebuf);
1028 char *scanhost = argv[n];
1029 if (getipbyname(scanhost, &addr)) {
1030 ipaddr.s_addr = htonl(addr);
1031 sockcheck_queue_address(ipaddr);
1032 reply("PCMSG_ADDRESS_QUEUED", scanhost);
1034 reply("PCMSG_ADDRESS_UNRESOLVED", scanhost);
1041 static MODCMD_FUNC(cmd_clearhost)
1046 for (n=1; n<argc; n++) {
1047 struct userNode *un = GetUserH(argv[n]);
1048 const char *scanhost;
1051 strcpy(hnamebuf, inet_ntoa(un->ip));
1052 scanhost = hnamebuf;
1056 switch (sockcheck_uncache_host(scanhost)) {
1058 reply("PCMSG_CHECKING_ADDRESS", scanhost);
1061 reply("PCMSG_NOT_REMOVED_FROM_CACHE", scanhost);
1064 reply("PCMSG_REMOVED_FROM_CACHE", scanhost);
1071 static MODCMD_FUNC(cmd_stats_proxycheck)
1074 const char *hostname = argv[1];
1075 char elapse_buf[INTERVALLEN];
1078 sockcheck_cache_info sci = dict_find(checked_ip_dict, hostname, NULL);
1080 reply("PCMSG_NOT_CACHED", hostname);
1083 intervalString(elapse_buf, now - sci->last_touched);
1084 switch (sci->decision) {
1085 case CHECKING: msg = "PCMSG_STATUS_CHECKING"; break;
1086 case ACCEPT: msg = "PCMSG_STATUS_ACCEPTED"; break;
1087 case REJECT: msg = "PCMSG_STATUS_REJECTED"; break;
1088 default: msg = "PCMSG_STATUS_UNKNOWN"; break;
1090 reply(msg, sci->hostname, elapse_buf, sci->reason);
1093 reply("PCMSG_STATISTICS", checked_ip_count, proxies_detected, sockcheck_num_clients, sockcheck_conf.max_clients, pending_sci_list.used, dict_size(checked_ip_dict), (tests ? tests->used : 0));
1099 sockcheck_new_user(struct userNode *user) {
1100 /* If they have a bum IP, or are bursting in, don't proxy-check or G-line them. */
1102 && (ntohl(user->ip.s_addr) != INADDR_LOOPBACK)
1103 && !user->uplink->burst)
1104 sockcheck_queue_address(user->ip);
1109 _sockcheck_init(void)
1111 checked_ip_dict = dict_new();
1112 dict_set_free_data(checked_ip_dict, free);
1113 sci_list_init(&pending_sci_list);
1114 sockcheck_num_clients = 0;
1115 sockcheck_read_tests();
1116 timeq_del(0, sockcheck_clean_cache, 0, TIMEQ_IGNORE_WHEN|TIMEQ_IGNORE_DATA);
1117 client_list = calloc(sockcheck_conf.max_clients, sizeof(client_list[0]));
1118 timeq_add(now+sockcheck_conf.max_cache_age, sockcheck_clean_cache, 0);
1122 sockcheck_read_conf(void)
1127 /* set the defaults here in case the entire record is missing */
1128 sockcheck_conf.max_clients = 32;
1129 sockcheck_conf.max_read = 1024;
1130 sockcheck_conf.gline_duration = 3600;
1131 sockcheck_conf.max_cache_age = 60;
1132 if (sockcheck_conf.local_addr) {
1133 free(sockcheck_conf.local_addr);
1134 sockcheck_conf.local_addr = NULL;
1136 /* now try to read from the conf database */
1137 if ((my_node = conf_get_data("modules/sockcheck", RECDB_OBJECT))) {
1138 str = database_get_data(my_node, "max_sockets", RECDB_QSTRING);
1139 if (str) sockcheck_conf.max_clients = strtoul(str, NULL, 0);
1140 str = database_get_data(my_node, "max_clients", RECDB_QSTRING);
1141 if (str) sockcheck_conf.max_clients = strtoul(str, NULL, 0);
1142 str = database_get_data(my_node, "max_read", RECDB_QSTRING);
1143 if (str) sockcheck_conf.max_read = strtoul(str, NULL, 0);
1144 str = database_get_data(my_node, "max_cache_age", RECDB_QSTRING);
1145 if (str) sockcheck_conf.max_cache_age = ParseInterval(str);
1146 str = database_get_data(my_node, "gline_duration", RECDB_QSTRING);
1147 if (str) sockcheck_conf.gline_duration = ParseInterval(str);
1148 str = database_get_data(my_node, "address", RECDB_QSTRING);
1150 struct sockaddr_in *sin;
1153 sockcheck_conf.local_addr_len = sizeof(*sin);
1154 if (getipbyname(str, &addr)) {
1155 sin = malloc(sockcheck_conf.local_addr_len);
1156 sin->sin_family = AF_INET;
1158 sin->sin_addr.s_addr = addr;
1162 memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
1163 sockcheck_conf.local_addr = sin;
1165 log_module(PC_LOG, LOG_ERROR, "Error: Unable to get host named `%s', not checking a specific address.", str);
1166 sockcheck_conf.local_addr = NULL;
1173 sockcheck_init(void)
1175 PC_LOG = log_register_type("ProxyCheck", "file:proxycheck.log");
1176 conf_register_reload(sockcheck_read_conf);
1177 reg_exit_func(sockcheck_shutdown);
1179 message_register_table(msgtab);
1181 sockcheck_module = module_register("ProxyCheck", PC_LOG, "mod-sockcheck.help", NULL);
1182 modcmd_register(sockcheck_module, "defproxy", cmd_defproxy, 2, 0, "level", "999", NULL);
1183 modcmd_register(sockcheck_module, "hostscan", cmd_hostscan, 2, 0, "level", "650", NULL);
1184 modcmd_register(sockcheck_module, "clearhost", cmd_clearhost, 2, 0, "level", "650", NULL);
1185 modcmd_register(sockcheck_module, "stats proxycheck", cmd_stats_proxycheck, 0, 0, NULL);
1186 reg_new_user_func(sockcheck_new_user);
1191 sockcheck_finalize(void)
projects / srvx.git / blob