Support ipv6 DNS blacklists

atheme/charybdis@0a1e77c27c
2013-10-06 07:53:17 -07:00 · 2013-10-06 07:53:17 -07:00 · afe4cb9104
parent 143fdd4069
commit afe4cb9104
3 changed files with 113 additions and 17 deletions
--- a/include/blacklist.h
+++ b/include/blacklist.h
@ -28,6 +28,8 @@
 struct Blacklist {
 	unsigned int status;	/* If CONF_ILLEGAL, delete when no clients */
 	int refcount;
+	int ipv4; /* Does this blacklist support IPv4 lookups? */
+	int ipv6; /* Does this blacklist support IPv6 lookups? */
 	char host[IRCD_RES_HOSTLEN + 1];
 	char reject_reason[IRCD_BUFSIZE];
 	unsigned int hits;
@ -43,7 +45,7 @@ struct BlacklistClient {
 };

 /* public interfaces */
-struct Blacklist *new_blacklist(char *host, char *reject_entry);
+struct Blacklist *new_blacklist(char *host, char *reject_reason, int ipv4, int ipv6); 
 void lookup_blacklists(struct Client *client_p);
 void abort_blacklist_queries(struct Client *client_p);
 void unref_blacklist(struct Blacklist *blptr);
--- a/src/blacklist.c
+++ b/src/blacklist.c
@ -2,7 +2,7 @@
 * charybdis: A slightly useful ircd.
 * blacklist.c: Manages DNS blacklist entries and lookups
 *
- * Copyright (C) 2006-2008 charybdis development team
+ * Copyright (C) 2006-2011 charybdis development team
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
@ -112,7 +112,6 @@ static void blacklist_dns_callback(void *vptr, struct DNSReply *reply)
 	rb_free(blcptr);
 }

-/* XXX: no IPv6 implementation, not to concerned right now though. */
 static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *client_p)
 {
 	struct BlacklistClient *blcptr = rb_malloc(sizeof(struct BlacklistClient));
@ -125,15 +124,54 @@ static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *
 	blcptr->dns_query.ptr = blcptr;
 	blcptr->dns_query.callback = blacklist_dns_callback;

-	ip = (uint8_t *)&((struct sockaddr_in *)&client_p->localClient->ip)->sin_addr.s_addr;
+	if ((client_p->localClient->ip.ss_family == AF_INET) && blptr->ipv4)
+	{
+		ip = (uint8_t *)&((struct sockaddr_in *)&client_p->localClient->ip)->sin_addr.s_addr;

-	/* becomes 2.0.0.127.torbl.ahbl.org or whatever */
-	rb_snprintf(buf, sizeof buf, "%u.%u.%u.%u.%s",
-		    (unsigned int) ip[3],
-		    (unsigned int) ip[2],
-		    (unsigned int) ip[1],
-		    (unsigned int) ip[0],
-		    blptr->host);
+		/* becomes 2.0.0.127.torbl.ahbl.org or whatever */
+		rb_snprintf(buf, sizeof buf, "%d.%d.%d.%d.%s",
+					(unsigned int) ip[3],
+					(unsigned int) ip[2],
+					(unsigned int) ip[1],
+					(unsigned int) ip[0],
+					blptr->host);
+	}
+	/* IPv6 is supported now. --Elizabeth */
+	else if ((client_p->localClient->ip.ss_family == AF_INET6) && blptr->ipv6)
+	{
+		/* Breaks it into ip[0] = 0x00, ip[1] = 0x00... ip[16] = 0x01 for localhost
+		 * I wish there was a uint4_t for C, this would make the below cleaner, but... */
+		ip = (uint8_t *)&((struct sockaddr_in6 *)&client_p->localClient->ip)->sin6_addr.s6_addr;
+		char *bufptr = buf;
+		int i;
+
+		/* The below will give us something like
+		 * 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.foobl.invalid
+		 */
+
+		/* Going backwards */
+		for (i = 15; i >= 0; i--)
+		{
+			/* Get upper and lower nibbles (yes this works fine on
+		 	 * both big and little endian) */
+			uint8_t hi = (ip[i] >> 4) & 0x0F;
+			uint8_t lo = ip[i] & 0x0F;
+
+			/* One part... (why 5? rb_snprintf adds \0) */
+			rb_snprintf(bufptr, 5, "%1x.%1x.",
+						(unsigned int) lo, /* Remember, backwards */
+						(unsigned int) hi);
+
+			/* Lurch forward to next position */
+			bufptr += 4;
+		} 
+
+		/* Tack host on */
+		strcpy(bufptr, blptr->host);
+	}
+	/* This shouldn't happen... */
+	else
+		return; 

 	gethost_byname_type(buf, &blcptr->dns_query, T_A);

@ -142,7 +180,7 @@ static void initiate_blacklist_dnsquery(struct Blacklist *blptr, struct Client *
 }

 /* public interfaces */
-struct Blacklist *new_blacklist(char *name, char *reject_reason)
+struct Blacklist *new_blacklist(char *name, char *reject_reason, int ipv4, int ipv6)
 {
 	struct Blacklist *blptr;

@ -159,6 +197,8 @@ struct Blacklist *new_blacklist(char *name, char *reject_reason)
 		blptr->status &= ~CONF_ILLEGAL;
 	rb_strlcpy(blptr->host, name, IRCD_RES_HOSTLEN + 1);
 	rb_strlcpy(blptr->reject_reason, reject_reason, IRCD_BUFSIZE);
+	blptr->ipv4 = ipv4; 
+	blptr->ipv6 = ipv6; 
 	blptr->lastwarning = 0;

 	return blptr;
@ -178,10 +218,6 @@ void lookup_blacklists(struct Client *client_p)
 {
 	rb_dlink_node *nptr;

-	/* We don't do IPv6 right now, sorry! */
-	if (client_p->localClient->ip.ss_family == AF_INET6)
-		return;
-
 	RB_DLINK_FOREACH(nptr, blacklist_list.head)
 	{
 		struct Blacklist *blptr = (struct Blacklist *) nptr->data;
--- a/src/newconf.c
+++ b/src/newconf.c
@ -55,6 +55,9 @@ static struct alias_entry *yy_alias = NULL;

 static char *yy_blacklist_host = NULL;
 static char *yy_blacklist_reason = NULL;
+static int yy_blacklist_ipv4 = 1;
+static int yy_blacklist_ipv6 = 0; 
+
 static char *yy_privset_extends = NULL;

 static const char *
@ -1849,6 +1852,34 @@ conf_set_blacklist_host(void *data)
 	yy_blacklist_host = rb_strdup(data);
 }

+static void
+conf_set_blacklist_type(void *data)
+{
+	conf_parm_t *args = data;
+
+	/* Don't assume we have either if we got here */
+	yy_blacklist_ipv4 = 0;
+	yy_blacklist_ipv6 = 0;
+
+	for (; args; args = args->next)
+	{
+		if (!strcasecmp(args->v.string, "ipv4"))
+			yy_blacklist_ipv4 = 1;
+		else if (!strcasecmp(args->v.string, "ipv6"))
+			yy_blacklist_ipv6 = 1;
+		else
+			conf_report_error("blacklist::type has unknown address family %s",
+						args->v.string);
+	}
+
+	/* If we have neither, just default to IPv4 */
+	if (!yy_blacklist_ipv4 && !yy_blacklist_ipv6)
+	{
+		conf_report_error("blacklist::type has neither IPv4 nor IPv6 (defaulting to IPv4)");
+		yy_blacklist_ipv4 = 1;
+	}
+} 
+
 static void
 conf_set_blacklist_reason(void *data)
 {
@ -1856,11 +1887,37 @@ conf_set_blacklist_reason(void *data)

 	if (yy_blacklist_host && yy_blacklist_reason)
 	{
-		new_blacklist(yy_blacklist_host, yy_blacklist_reason);
+		if (yy_blacklist_ipv6)
+		{
+			/* Make sure things fit (64 = alnum count + dots) */
+			if ((64 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN)
+			{
+				conf_report_error("blacklist::host %s results in IPv6 queries that are too long",
+					yy_blacklist_host);
+				goto cleanup_bl;
+			}
+		}
+		/* Avoid doing redundant check, IPv6 is bigger than IPv4 --Elizabeth */
+		if (yy_blacklist_ipv4 && !yy_blacklist_ipv6)
+		{
+			/* Make sure things fit (16 = number of nums + dots) */
+			if ((16 + strlen(yy_blacklist_host)) > IRCD_RES_HOSTLEN)
+			{
+				conf_report_error("blacklist::host %s results in IPv4 queries that are too long",
+					yy_blacklist_host);
+				goto cleanup_bl;
+			}
+		}
+
+		new_blacklist(yy_blacklist_host, yy_blacklist_reason, yy_blacklist_ipv4, yy_blacklist_ipv6);
+
+cleanup_bl:
 		rb_free(yy_blacklist_host);
 		rb_free(yy_blacklist_reason);
 		yy_blacklist_host = NULL;
 		yy_blacklist_reason = NULL;
+		yy_blacklist_ipv4 = 1;
+		yy_blacklist_ipv6 = 0; 
 	}
 }

@ -2385,5 +2442,6 @@ newconf_init()

 	add_top_conf("blacklist", NULL, NULL, NULL);
 	add_conf_item("blacklist", "host", CF_QSTRING, conf_set_blacklist_host);
+	add_conf_item("blacklist", "type", CF_STRING | CF_FLIST, conf_set_blacklist_type);
 	add_conf_item("blacklist", "reject_reason", CF_QSTRING, conf_set_blacklist_reason);
 }