View Issue Details

IDProjectCategoryView StatusLast Update
0005506unrealircdpublic2022-05-25 15:32
Reporterwestor Assigned Tosyzop  
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.0.0 
Fixed in Version6.0.4-rc1 
Summary0005506: Add "except-webirc;" in Blacklist + Restrict-commands + Connthrottle modules
DescriptionHello,

I wanna suggest an except option if it is possible to be added into Blacklist and Restrict-commands and Connthrottle modules especially for webirc NEW USERS, and i am gonna explain why it is very useful that missing right now.

In blacklist module, when a webirc (new user) is trying to connect but matched in that module in a specific DNSBL but that dnsbl is useful, there is not a way right now to except this user instead of /ELINE and this is not 100% correctly because it may not be someone from the admin team online to add it.

In restrict-commands, when you wanna protect your network by restricting some of USERCMDS due connecting right now there is not any option to except webirc new users in result to match them too, so if you add for example JOIN in restrict command on connect for 10s it matches and webirc clients, this could be solved if "exempt-webirc yes;" exists.

In connthrottle, when it is enabled due high proxy attack it will reject and the webirc (new users) to connect too, in this case if "webirc-bypass yes;" under known-users exists would solve it.

- Thanks!
TagsNo tags attached.
3rd party modules

Activities

syzop

2020-01-02 16:40

administrator   ~0021193

Dropping as target for 5.0.1, sorry.

syzop

2022-05-14 19:24

administrator   ~0022483

Last edited: 2022-05-14 19:25

This issue inspired me to not to duplicate the same code but to extend security-group functionality to "mask" and "except".
I have now added/transformed: antirandom, antimixedutf8, connthrottle and restrict-commands to accept the same items as exist in the security-group block, see https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/RELEASE-NOTES.md#unrealircd-604-git

For restrict-commands see the updated examples in example.conf: https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/conf/examples/example.conf#L500-L530
And same for connthrottle: https://github.com/unrealircd/unrealircd/blob/unreal60_dev/doc/conf/examples/example.conf#L546-L564

You can now use the following within an except block there: webirc yes;

The blacklist { } block still needs to be done (for per-blacklist basis), and except ban { } too (for exempting all blacklists).
In the meantime you can use this though:
except ban { mask ~security-group:webirc-users; type blacklist; }

And then later I will make this work (IT DOES NOT WORK YET):
except ban { mask { webirc yes; } type blacklist; }

syzop

2022-05-15 15:17

administrator   ~0022486

commit c0374862632867e3bafa41e27ee1136fe0ded73c (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD)
Author: Bram Matthys <[email protected]>
Date: Sun May 15 15:13:19 2022 +0200

    Add blacklist::except for exempting users from individual blacklists,
    this is a https://www.unrealircd.org/docs/Mask_item so very flexible.
    
    Note that most people would want to use except ban { } instead to
    simply exempt from ALL blacklists. (that one does not yet have the
    flexible mask capability though.. but it wil have it soon..)

syzop

2022-05-25 15:32

administrator   ~0022516

Last edited: 2022-05-25 15:32

except ban { mask { webirc yes; } type blacklist; }
works too now:

commit 7ff4a3e8971d0f87efe94e56f0c3dde56e217e08
Author: Bram Matthys <[email protected]>
Date: Wed May 25 07:49:11 2022 +0200

    Add the promised support of security group functionality in except ban { }
    
    So now the example in the release notes actually works:
    except ban {
        mask { security-group irccloud; }
        type { blacklist; connect-flood; handshake-data-flood; }
    }

Issue History

Date Modified Username Field Change
2019-12-23 17:37 westor New Issue
2019-12-28 09:45 syzop Target Version => 5.0.1
2020-01-02 16:40 syzop Target Version 5.0.1 =>
2020-01-02 16:40 syzop Note Added: 0021193
2020-01-10 08:42 syzop Priority high => normal
2022-05-14 19:24 syzop Note Added: 0022483
2022-05-14 19:25 syzop Note Edited: 0022483
2022-05-15 15:17 syzop Note Added: 0022486
2022-05-25 15:32 syzop Assigned To => syzop
2022-05-25 15:32 syzop Status new => resolved
2022-05-25 15:32 syzop Resolution open => fixed
2022-05-25 15:32 syzop Fixed in Version => 6.0.4-rc1
2022-05-25 15:32 syzop Note Added: 0022516
2022-05-25 15:32 syzop Note Edited: 0022516
2022-05-25 15:32 syzop Note Edited: 0022516