Context Navigation

← Previous Change
Next Change →

Changeset 705 in code for trunk

Timestamp:

Nov 17, 2021, 2:07:58 PM (4 years ago)

Author:

contact

Message:

Add per-user IP addresses

The new upstream-user-ip directive allows bouncer operators to
assign one IP address per user.

Location:

trunk

Files:

: 6 edited

cmd/soju/main.go (modified) (1 diff)
config/config.go (modified) (2 diffs)
doc/soju.1.scd (modified) (1 diff)
server.go (modified) (1 diff)
upstream.go (modified) (2 diffs)
user.go (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/cmd/soju/main.go

r694	r705
94	94	MaxUserNetworks: raw.MaxUserNetworks,
95	95	MultiUpstream: raw.MultiUpstream,
	96	UpstreamUserIPs: raw.UpstreamUserIPs,
96	97	Debug: debug,
97	98	MOTD: motd,

trunk/config/config.go

-              r694
+              r705
         MaxUserNetworks int
         MultiUpstream   bool
+        UpstreamUserIPs []*net.IPNet
+}
 …
+                        }
                         srv.MultiUpstream = v
+                case "upstream-user-ip":
+                        if len(srv.UpstreamUserIPs) > 0 {
+                                return nil, fmt.Errorf("directive %q: can only be specified once", d.Name)
+                        }
+                        var hasIPv4, hasIPv6 bool
+                        for _, s := range d.Params {
+                                _, n, err := net.ParseCIDR(s)
+                                if err != nil {
+                                        return nil, fmt.Errorf("directive %q: failed to parse CIDR: %v", d.Name, err)
+                                }
+                                if n.IP.To4() == nil {
+                                        if hasIPv6 {
+                                                return nil, fmt.Errorf("directive %q: found two IPv6 CIDRs", d.Name)
+                                        }
+                                        hasIPv6 = true
+                                } else {
+                                        if hasIPv4 {
+                                                return nil, fmt.Errorf("directive %q: found two IPv4 CIDRs", d.Name)
+                                        }
+                                        hasIPv4 = true
+                                }
+                                srv.UpstreamUserIPs = append(srv.UpstreamUserIPs, n)
+                        }
                 default:
                         return nil, fmt.Errorf("unknown directive %q", d.Name)

trunk/doc/soju.1.scd

-              r694
+              r705
         mode is enabled.
+*upstream-user-ip* <cidr...>
+        Enable per-user IP addresses. One IPv4 range and/or one IPv6 range can be
+        specified in CIDR notation. One IP address per range will be assigned to
+        each user and will be used as the source address when connecting to an
+        upstream network.
+        This can be useful to avoid having the whole bouncer banned from an upstream
+        network because of one malicious user.
 # IRC SERVICE

trunk/server.go

r704	r705
65	65	MultiUpstream bool
66	66	MOTD string
	67	UpstreamUserIPs []*net.IPNet
67	68	}
68	69

trunk/upstream.go

-              r685
+              r705
+                }
+                dialer.LocalAddr, err = network.user.localTCPAddrForHost(host)
+                if err != nil {
+                        return nil, fmt.Errorf("failed to pick local IP for remote host %q: %v", host, err)
+                }
                 logger.Printf("connecting to TLS server at address %q", addr)
 …
         case "irc+insecure":
                 addr := u.Host
+                if _, _, err := net.SplitHostPort(addr); err != nil {
+                        addr = addr + ":6667"
+                host, _, err := net.SplitHostPort(addr)
+                if err != nil {
+                        host = u.Host
+                        addr = u.Host + ":6667"
+                }
+                dialer.LocalAddr, err = network.user.localTCPAddrForHost(host)
+                if err != nil {
+                        return nil, fmt.Errorf("failed to pick local IP for remote host %q: %v", host, err)
+                }

trunk/user.go

-              r704
+              r705
         "encoding/hex"
         "fmt"
+        "math/big"
+        "net"
         "time"
 …
         return !isMem
+}
+// localAddrForHost returns the local address to use when connecting to host.
+// A nil address is returned when the OS should automatically pick one.
+func (u *user) localTCPAddrForHost(host string) (*net.TCPAddr, error) {
+        upstreamUserIPs := u.srv.Config().UpstreamUserIPs
+        if len(upstreamUserIPs) == 0 {
+                return nil, nil
+        }
+        ips, err := net.LookupIP(host)
+        if err != nil {
+                return nil, err
+        }
+        wantIPv6 := false
+        for _, ip := range ips {
+                if ip.To4() == nil {
+                        wantIPv6 = true
+                        break
+                }
+        }
+        var ipNet *net.IPNet
+        for _, in := range upstreamUserIPs {
+                if wantIPv6 == (in.IP.To4() == nil) {
+                        ipNet = in
+                        break
+                }
+        }
+        if ipNet == nil {
+                return nil, nil
+        }
+        var ipInt big.Int
+        ipInt.SetBytes(ipNet.IP)
+        ipInt.Add(&ipInt, big.NewInt(u.ID+1))
+        ip := net.IP(ipInt.Bytes())
+        if !ipNet.Contains(ip) {
+                return nil, fmt.Errorf("IP network %v too small", ipNet)
+        }
+        return &net.TCPAddr{IP: ip}, nil
+}

Note: See TracChangeset for help on using the changeset viewer.