3
0
mirror of https://github.com/ergochat/ergo.git synced 2025-01-20 17:14:08 +01:00

Merge pull request #1503 from slingamn/uban_tweak.1

tweaks to UBAN
This commit is contained in:
Shivaram Lingamneni 2021-01-22 07:49:26 -05:00 committed by GitHub
commit 7b45e81178
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 30 deletions

View File

@ -28,6 +28,7 @@ type CustomLimitConfig struct {
// tuples the key-value pair of a CIDR and its custom limit/throttle values // tuples the key-value pair of a CIDR and its custom limit/throttle values
type customLimit struct { type customLimit struct {
name [16]byte name [16]byte
customID string // operator-configured identifier for a custom net
maxConcurrent int maxConcurrent int
maxPerWindow int maxPerWindow int
nets []flatip.IPNet nets []flatip.IPNet
@ -103,6 +104,7 @@ func (config *LimiterConfig) postprocess() (err error) {
maxConcurrent: customLimitConf.MaxConcurrent, maxConcurrent: customLimitConf.MaxConcurrent,
maxPerWindow: customLimitConf.MaxPerWindow, maxPerWindow: customLimitConf.MaxPerWindow,
name: md5.Sum([]byte(identifier)), name: md5.Sum([]byte(identifier)),
customID: identifier,
nets: nets, nets: nets,
}) })
} }
@ -124,11 +126,11 @@ type Limiter struct {
// addrToKey canonicalizes `addr` to a string key, and returns // addrToKey canonicalizes `addr` to a string key, and returns
// the relevant connection limit and throttle max-per-window values // the relevant connection limit and throttle max-per-window values
func (cl *Limiter) addrToKey(addr flatip.IP) (key limiterKey, limit int, throttle int) { func (cl *Limiter) addrToKey(addr flatip.IP) (key limiterKey, customID string, limit int, throttle int) {
for _, custom := range cl.config.customLimits { for _, custom := range cl.config.customLimits {
for _, net := range custom.nets { for _, net := range custom.nets {
if net.Contains(addr) { if net.Contains(addr) {
return limiterKey{maskedIP: custom.name, prefixLen: 0}, custom.maxConcurrent, custom.maxPerWindow return limiterKey{maskedIP: custom.name, prefixLen: 0}, custom.customID, custom.maxConcurrent, custom.maxPerWindow
} }
} }
} }
@ -143,7 +145,7 @@ func (cl *Limiter) addrToKey(addr flatip.IP) (key limiterKey, limit int, throttl
addr = addr.Mask(prefixLen, 128) addr = addr.Mask(prefixLen, 128)
} }
return limiterKey{maskedIP: addr, prefixLen: uint8(prefixLen)}, cl.config.MaxConcurrent, cl.config.MaxPerWindow return limiterKey{maskedIP: addr, prefixLen: uint8(prefixLen)}, "", cl.config.MaxConcurrent, cl.config.MaxPerWindow
} }
// AddClient adds a client to our population if possible. If we can't, throws an error instead. // AddClient adds a client to our population if possible. If we can't, throws an error instead.
@ -156,7 +158,7 @@ func (cl *Limiter) AddClient(addr flatip.IP) error {
return nil return nil
} }
addrString, maxConcurrent, maxPerWindow := cl.addrToKey(addr) addrString, _, maxConcurrent, maxPerWindow := cl.addrToKey(addr)
// check limiter // check limiter
var count int var count int
@ -200,7 +202,7 @@ func (cl *Limiter) RemoveClient(addr flatip.IP) {
return return
} }
addrString, _, _ := cl.addrToKey(addr) addrString, _, _, _ := cl.addrToKey(addr)
count := cl.limiter[addrString] count := cl.limiter[addrString]
count -= 1 count -= 1
if count < 0 { if count < 0 {
@ -220,7 +222,7 @@ type LimiterStatus struct {
ThrottleDuration time.Duration ThrottleDuration time.Duration
} }
func (cl *Limiter) Status(addr flatip.IP) (status LimiterStatus) { func (cl *Limiter) Status(addr flatip.IP) (netName string, status LimiterStatus) {
cl.Lock() cl.Lock()
defer cl.Unlock() defer cl.Unlock()
@ -231,12 +233,20 @@ func (cl *Limiter) Status(addr flatip.IP) (status LimiterStatus) {
status.ThrottleDuration = cl.config.Window status.ThrottleDuration = cl.config.Window
addrString, maxConcurrent, maxPerWindow := cl.addrToKey(addr) limiterKey, customID, maxConcurrent, maxPerWindow := cl.addrToKey(addr)
status.MaxCount = maxConcurrent status.MaxCount = maxConcurrent
status.MaxPerWindow = maxPerWindow status.MaxPerWindow = maxPerWindow
status.Count = cl.limiter[addrString] status.Count = cl.limiter[limiterKey]
status.Throttle = cl.throttler[addrString].Count status.Throttle = cl.throttler[limiterKey].Count
netName = customID
if netName == "" {
netName = flatip.IPNet{
IP: limiterKey.maskedIP,
PrefixLen: limiterKey.prefixLen,
}.String()
}
return return
} }
@ -250,7 +260,7 @@ func (cl *Limiter) ResetThrottle(addr flatip.IP) {
return return
} }
addrString, _, _ := cl.addrToKey(addr) addrString, _, _, _ := cl.addrToKey(addr)
delete(cl.throttler, addrString) delete(cl.throttler, addrString)
} }

View File

@ -50,20 +50,20 @@ func TestKeying(t *testing.T) {
limiter.ApplyConfig(&config) limiter.ApplyConfig(&config)
// an ipv4 /32 looks like a /128 to us after applying the 4-in-6 mapping // an ipv4 /32 looks like a /128 to us after applying the 4-in-6 mapping
key, maxConc, maxWin := limiter.addrToKey(easyParseIP("1.1.1.1")) key, _, maxConc, maxWin := limiter.addrToKey(easyParseIP("1.1.1.1"))
assertEqual(key.prefixLen, uint8(128), t) assertEqual(key.prefixLen, uint8(128), t)
assertEqual(key.maskedIP[12:], []byte{1, 1, 1, 1}, t) assertEqual(key.maskedIP[12:], []byte{1, 1, 1, 1}, t)
assertEqual(maxConc, 4, t) assertEqual(maxConc, 4, t)
assertEqual(maxWin, 8, t) assertEqual(maxWin, 8, t)
testIPv6 := easyParseIP("2607:5301:201:3100::7426") testIPv6 := easyParseIP("2607:5301:201:3100::7426")
key, maxConc, maxWin = limiter.addrToKey(testIPv6) key, _, maxConc, maxWin = limiter.addrToKey(testIPv6)
assertEqual(key.prefixLen, uint8(64), t) assertEqual(key.prefixLen, uint8(64), t)
assertEqual(flatip.IP(key.maskedIP), easyParseIP("2607:5301:201:3100::"), t) assertEqual(flatip.IP(key.maskedIP), easyParseIP("2607:5301:201:3100::"), t)
assertEqual(maxConc, 4, t) assertEqual(maxConc, 4, t)
assertEqual(maxWin, 8, t) assertEqual(maxWin, 8, t)
key, maxConc, maxWin = limiter.addrToKey(easyParseIP("8.8.4.4")) key, _, maxConc, maxWin = limiter.addrToKey(easyParseIP("8.8.4.4"))
assertEqual(key.prefixLen, uint8(0), t) assertEqual(key.prefixLen, uint8(0), t)
assertEqual([16]byte(key.maskedIP), md5.Sum([]byte("google")), t) assertEqual([16]byte(key.maskedIP), md5.Sum([]byte("google")), t)
assertEqual(maxConc, 128, t) assertEqual(maxConc, 128, t)

View File

@ -107,14 +107,6 @@ For instance, this would set the kill, oper, account and xline snomasks on dan:
// Help contains the help strings distributed with the IRCd. // Help contains the help strings distributed with the IRCd.
var Help = map[string]HelpEntry{ var Help = map[string]HelpEntry{
// Commands // Commands
"acc": {
text: `ACC LS
ACC REGISTER <accountname> [callback_namespace:]<callback> [cred_type] :<credential>
ACC VERIFY <accountname> <auth_code>
Used in account registration. See the relevant specs for more info:
https://oragono.io/specs.html`,
},
"ambiance": { "ambiance": {
text: `AMBIANCE <target> <text to be sent> text: `AMBIANCE <target> <text to be sent>

View File

@ -303,13 +303,12 @@ func ubanInfoHandler(client *Client, target ubanTarget, params []string, rb *Res
func ubanInfoCIDR(client *Client, target ubanTarget, rb *ResponseBuffer) { func ubanInfoCIDR(client *Client, target ubanTarget, rb *ResponseBuffer) {
if target.cidr.PrefixLen == 128 { if target.cidr.PrefixLen == 128 {
status := client.server.connectionLimiter.Status(target.cidr.IP) netName, status := client.server.connectionLimiter.Status(target.cidr.IP)
str := target.cidr.IP.String()
if status.Exempt { if status.Exempt {
rb.Notice(fmt.Sprintf(client.t("IP %s is exempt from connection limits"), str)) rb.Notice(fmt.Sprintf(client.t("IP %s is exempt from connection limits"), target.cidr.IP.String()))
} else { } else {
rb.Notice(fmt.Sprintf(client.t("IP %[1]s has %[2]d active connections out of a maximum of %[3]d"), str, status.Count, status.MaxCount)) rb.Notice(fmt.Sprintf(client.t("Network %[1]s has %[2]d active connections out of a maximum of %[3]d"), netName, status.Count, status.MaxCount))
rb.Notice(fmt.Sprintf(client.t("IP %[1]s has had %[2]d connection attempts in the past %[3]v, out of a maximum of %[4]d"), str, status.Throttle, status.ThrottleDuration, status.MaxPerWindow)) rb.Notice(fmt.Sprintf(client.t("Network %[1]s has had %[2]d connection attempts in the past %[3]v, out of a maximum of %[4]d"), netName, status.Throttle, status.ThrottleDuration, status.MaxPerWindow))
} }
} }
@ -364,15 +363,22 @@ func ubanInfoNick(client *Client, target ubanTarget, rb *ResponseBuffer) {
mcl := client.server.clients.Get(target.nickOrMask) mcl := client.server.clients.Get(target.nickOrMask)
if mcl != nil { if mcl != nil {
details := mcl.Details() details := mcl.Details()
sessions := mcl.Sessions()
ip := mcl.IP()
sendIPBanWarning := false
if details.account == "" { if details.account == "" {
rb.Notice(fmt.Sprintf(client.t("Client %[1]s is unauthenticated and connected from %[2]s"), details.nick, mcl.IP().String())) rb.Notice(fmt.Sprintf(client.t("Client %[1]s is unauthenticated and connected from %[2]s"), details.nick, ip.String()))
sendIPBanWarning = true
} else { } else {
rb.Notice(fmt.Sprintf(client.t("Client %[1]s is logged into account %[2]s and has %[3]d active clients (see /NICKSERV CLIENTS LIST %[4]s for more info"), details.nick, details.accountName, len(mcl.Sessions()), details.nick)) rb.Notice(fmt.Sprintf(client.t("Client %[1]s is logged into account %[2]s and has %[3]d active clients (see /NICKSERV CLIENTS LIST %[4]s for more info"), details.nick, details.accountName, len(mcl.Sessions()), details.nick))
ip := mcl.IP() if !ip.IsLoopback() && len(sessions) == 1 {
if !ip.IsLoopback() { rb.Notice(fmt.Sprintf(client.t("Client %[1]s is associated with IP %[2]s"), details.nick, ip.String()))
rb.Notice(fmt.Sprintf(client.t("Client %[1]s is associated with IP %[2]s; you can ban this IP with /UBAN ADD"), details.nick, ip.String())) sendIPBanWarning = true
} }
} }
if sendIPBanWarning {
rb.Notice(client.t("Warning: banning this IP or a network that contains it may affect other users. Use /UBAN INFO on the candidate IP or network for more information."))
}
} else { } else {
rb.Notice(fmt.Sprintf(client.t("No client is currently using that nickname"))) rb.Notice(fmt.Sprintf(client.t("No client is currently using that nickname")))
} }