View Issue Details

IDProjectCategoryView StatusLast Update
0005705unrealircdpublic2021-11-01 16:47
Reportersyzop Assigned Tosyzop  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version6.0.0-beta1 
Summary0005705: U6: geoip features
DescriptionAs mentioned in 0005005 geoip has been suggested before. Similarly, it was a goal of UnrealIRCd 5 but it was dropped at the end because otherwise the release date could not be met (Dec 2019). It is now a goal for UnrealIRCd 6.

I am aware that both k4be and Gottem have made geoip modules. I'm not so sure if they can/will be used as-is, but they can be used for inspiration and well... surely some parts of it will be useful.

There are various legal and usage questions that come up with regards to providers:
A1. Since the GDPR and other laws various providers have pulled their data for free unrestricted download and made you register, some have licenses that were previously open and have been turned into something restrictive
A2. I think it would be nice to support different providers, this makes us and our users flexible if the rules or license changes
A3. Related a bit: some providers use a certain file format that only a certain library can read that may not be GPLv2 compatible, such things will always have to be investigated
A4. In any case, we should select some kind of suggested or primary/default one, taking into account all these concerns (and also quality, of course)

Geoip provider module:
B1. To make it flexible we need to have different modules for different providers. A geoip API may be needed, or possible we can just get away with an optional callback function such as how cloaking works (we should only complicate things if it is needed...)
B2. Obviously the geoip providers must be written

Using geoip:
C1. Make it an extban (+b / +e / +I) which also means it is an extended server ban (GLINE / ELINE / ..)
C2. People may want to authorize users based on a whitelist, in which case the above may not be flexible enough. While technically you could ban *@* and then exempt *@*.nl and such, this makes you loose the ability to place specific bans (eg *@* So consider some configuration-style whitelist approach. I don't think a configuration-style blacklist approach would be useful since we already have other blocks for it (ban user { mask ~country:XX; reason "go away"; })
C3. Create an option to add it to WHOIS. This should be configurable in the config as not everyone will want to expose this information. I think the choices are basically: oper only or everyone.
C4. I am sure there are more possibilities....
TagsNo tags attached.
3rd party modules



2020-06-10 23:26

developer   ~0021624

Well I wouldn't mind incorporating my paid geoip module into base U6. :>

The config it uses looks like this:
geoip {
    /* REQUIRED */
    // The path to the .mmdb file you downloaded earlier, notice the path is relative to the Unreal _installation_ directory
    db "data/geolite2-country.mmdb";

    // A list of countries to block, you need at least one for obvious reasons
    block {
        CN; // China
        RU; // Russia

    /* OPTIONAL */
    // Whether to notify opers about anything else besides fatal errors (warnings/errors, blocked/whitelisted connections, etc) -- defaults to yes
    //notifyopers no;

    // Don't even check websocket users, useful in case you already have external access control in place -- defaults to no
    //exemptwebsocket yes;

    // Unknown connections are those for which DB lookup fails (i.e. don't have location data associated with them, such as private/LAN IPs) -- defaults to no
    //allowunknown yes;

    // Process everything as usual but allow the user regardless of failed checks (useful for testing) -- defaults to no
    //softfail yes;

    // Message to show to users if they're denied access for _any reason_ -- defaults to "Denied connection"
    //denymsg "Denied connection due to a blacklisted location";

    /*exceptions {
        // These exempt the possible IP forms of localhost for e.g. bot connections (HOPM/BOPM perhaps), since those are still technically users; ::1;

        // You don't technically need to use this if you're going for the above 2, but I'll add it for completeness =]

        // Maybe you're hosting your server at home and you're connecting to its local IP and not your public routable (WAN) IP, so exempt your local network too;
        //192.168.1.*; // This one would work the same

        // A frequent user is on holiday in Russia, so we gotta let him through;

        // Or someone whose IP is dynamic but his host stays the same, or has multiple IPs but they have the same reverse DNS name (resulting in the same "realhost" value);

// In order to see the notices sent by the module an oper needs to have the +g snomask (/mode nick +s +g or through set::snomask-on-oper or oper::snomask), which also requires a new oper privilege being set:
operclass netadmin-geoip {
    parent netadmin;
    privileges {

As you can see it uses a blacklist approach as well as the binary MaxMind database format, which does require you to sign up for an account. They offer a commercial redistribution license but it's only free for a year as far as I can tell. I think it's okay to redistribute it with Unreal though, since I don't think we qualify as commercial so we'd only need some attribution shit (CC BY-SA 4.0 based licensing). Providing updated databases might be a little problematic though, as you'd have to make Unreal download the databases through our own account. See also:

I know you said you'd prefer not to use a blacklist approach, but as far as I know that's actually what most people are looking for. :> Regardless of what we end up doing I think it should be functionally equivalent to my current module, as I'd drop the module entirely and people using it should be able to transition smoothly to the new one.

Some other GeoIP providers (I've never messed with these though):
* (local DB like MaxMind's but not sure how the fuck their binary format works, and fuck CSV imo :D)
* (no account required but limited to 45 API requests per minute per client IP)
* (this website gives me various diseases but it's a simple HTTP based API without the need for an account)


2021-11-01 16:47

administrator   ~0022150

Done in U6 :D

Issue History

Date Modified Username Field Change
2020-06-10 15:54 syzop New Issue
2020-06-10 15:54 syzop Status new => acknowledged
2020-06-10 23:26 Gottem Note Added: 0021624
2021-11-01 16:47 syzop View Status private => public
2021-11-01 16:47 syzop Assigned To => syzop
2021-11-01 16:47 syzop Status acknowledged => resolved
2021-11-01 16:47 syzop Resolution open => fixed
2021-11-01 16:47 syzop Fixed in Version => 6.0.0-beta1
2021-11-01 16:47 syzop Note Added: 0022150