From e13f1f782a9d8d25cc622d050644c7f29c1bfd5e Mon Sep 17 00:00:00 2001 From: Haru Date: Mon, 10 Aug 2015 21:48:48 +0200 Subject: subnet.conf overhaul The subnet.conf system has been rewritten to offer greater flexibility, and to fix some issues that appeared with 838321a36c79e71117320154c9b611c99e93af03. It is now possible to enter, separately, LAN subnets: - `lan_subnets`: This is essentially the same feature present in the old subnet.conf. Each entry in this list defines a (LAN, private) subnet the server is in. Clients connecting from the same subnet, will be redirected to the LAN IP rather than the default public IP. The format has been simplified, and it only requires one IP and one subnet mask (as opposed to a character and a map server IP). - `allowed`: Allowed IPs are IP ranges a server (char to login or map to char) can connect from. Any attempt to connect as a server from an IP not included here, will fail. For convenience, a wildcard range (matching all possible IP addresses) has been provided (`0.0.0.0:0.0.0.0`), but it is very advisable to edit it to a more restrictive set. - `trusted`: Trusted IPs are IP ranges excluded from the IPban checks. This may be useful, for example, to exclude the server's own IP from ipbans, in case of false positives. Any IP ranges added to this list are also implicitly included in the allowed IP ranges. --- src/common/socket.c | 187 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/common/socket.h | 21 ++++++ 2 files changed, 208 insertions(+) (limited to 'src/common') diff --git a/src/common/socket.c b/src/common/socket.c index 17c31db50..830877044 100644 --- a/src/common/socket.c +++ b/src/common/socket.c @@ -14,6 +14,7 @@ #include "common/db.h" #include "common/malloc.h" #include "common/mmo.h" +#include "common/nullpo.h" #include "common/showmsg.h" #include "common/strlib.h" #include "common/timer.h" @@ -1228,6 +1229,21 @@ void socket_final(void) aFree(session[0]); aFree(session); + + if (sockt->lan_subnet) + aFree(sockt->lan_subnet); + sockt->lan_subnet = NULL; + sockt->lan_subnet_count = 0; + + if (sockt->allowed_ip) + aFree(sockt->allowed_ip); + sockt->allowed_ip = NULL; + sockt->allowed_ip_count = 0; + + if (sockt->trusted_ip) + aFree(sockt->trusted_ip); + sockt->trusted_ip = NULL; + sockt->trusted_ip_count = 0; } /// Closes a socket. @@ -1589,6 +1605,164 @@ void send_shortlist_do_sends() } #endif +/** + * Checks whether the given IP comes from LAN or WAN. + * + * @param[in] ip IP address to check. + * @param[out] info Verbose output, if requested. Filled with the matching entry. Ignored if NULL. + * @retval 0 if it is a WAN IP. + * @return the appropriate LAN server address to send, if it is a LAN IP. + */ +uint32 socket_lan_subnet_check(uint32 ip, struct s_subnet *info) +{ + int i; + ARR_FIND(0, sockt->lan_subnet_count, i, (sockt->lan_subnet[i].ip & sockt->lan_subnet[i].mask) == (ip & sockt->lan_subnet[i].mask)); + if (i < sockt->lan_subnet_count) { + if (info) { + info->ip = sockt->lan_subnet[i].ip; + info->mask = sockt->lan_subnet[i].mask; + } + return sockt->lan_subnet[i].ip; + } + if (info) { + info->ip = info->mask = 0; + } + return 0; +} + +/** + * Checks whether the given IP is allowed to connect as a server. + * + * @param ip IP address to check. + * @retval true if we allow server connections from the given IP. + * @retval false otherwise. + */ +bool socket_allowed_ip_check(uint32 ip) +{ + int i; + ARR_FIND(0, sockt->allowed_ip_count, i, (sockt->allowed_ip[i].ip & sockt->allowed_ip[i].mask) == (ip & sockt->allowed_ip[i].mask) ); + if (i < sockt->allowed_ip_count) + return true; + return sockt->trusted_ip_check(ip); // If an address is trusted, it's automatically also allowed. +} + +/** + * Checks whether the given IP is trusted and can skip ipban checks. + * + * @param ip IP address to check. + * @retval true if we trust the given IP. + * @retval false otherwise. + */ +bool socket_trusted_ip_check(uint32 ip) +{ + int i; + ARR_FIND(0, sockt->trusted_ip_count, i, (sockt->trusted_ip[i].ip & sockt->trusted_ip[i].mask) == (ip & sockt->trusted_ip[i].mask)); + if (i < sockt->trusted_ip_count) + return true; + return false; +} + +/** + * Helper function to read a list of network.conf values. + * + * Entries will be appended to the variable-size array pointed to by list/count. + * + * @param[in] t The list to parse. + * @param[in,out] list Pointer to the head of the output array to append to. Must not be NULL (but the array may be empty). + * @param[in,out] count Pointer to the counter of the output array to append to. Must not be NULL (but it may contain zero). + * @param[in] filename Current filename, for output/logging reasons. + * @param[in] groupname Current group name, for output/logging reasons. + * @return The amount of entries read, zero in case of errors. + */ +int socket_net_config_read_sub(config_setting_t *t, struct s_subnet **list, int *count, const char *filename, const char *groupname) +{ + int i, len; + char ipbuf[64], maskbuf[64]; + + nullpo_retr(0, list); + nullpo_retr(0, count); + + if (t == NULL) + return 0; + + len = libconfig->setting_length(t); + + for (i = 0; i < len; ++i) { + const char *subnet = libconfig->setting_get_string_elem(t, i); + struct s_subnet *l = NULL; + + if (sscanf(subnet, "%63[^:]:%63[^:]", ipbuf, maskbuf) != 2) { + ShowWarning("Invalid IP:Subnet entry in configuration file %s: '%s' (%s)\n", filename, subnet, groupname); + } + RECREATE(*list, struct s_subnet, *count + 1); + l = *list; + l[*count].ip = str2ip(ipbuf); + l[*count].mask = str2ip(maskbuf); + ++*count; + } + return *count; +} + +/** + * Reads the network configuration file. + * + * @param filename The filename to read from. + */ +void socket_net_config_read(const char *filename) +{ + config_t network_config; + int i; + nullpo_retv(filename); + + if (libconfig->read_file(&network_config, filename)) { + ShowError("LAN Support configuration file is not found: '%s'. This server won't be able to accept connections from any servers.\n", filename); + return; + } + + if (sockt->lan_subnet) { + aFree(sockt->lan_subnet); + sockt->lan_subnet = NULL; + } + sockt->lan_subnet_count = 0; + if (sockt->net_config_read_sub(libconfig->lookup(&network_config, "lan_subnets"), &sockt->lan_subnet, &sockt->lan_subnet_count, filename, "lan_subnets") > 0) + ShowStatus("Read information about %d LAN subnets.\n", sockt->lan_subnet_count); + + if (sockt->trusted_ip) { + aFree(sockt->trusted_ip); + sockt->trusted_ip = NULL; + } + sockt->trusted_ip_count = 0; + if (sockt->net_config_read_sub(libconfig->lookup(&network_config, "trusted"), &sockt->trusted_ip, &sockt->trusted_ip_count, filename, "trusted") > 0) + ShowStatus("Read information about %d trusted IP ranges.\n", sockt->trusted_ip_count); + for (i = 0; i < sockt->allowed_ip_count; ++i) { + if ((sockt->allowed_ip[i].ip & sockt->allowed_ip[i].mask) == 0) { + ShowError("Using a wildcard IP range in the trusted server IPs is NOT RECOMMENDED.\n"); + ShowNotice("Please edit your '%s' trusted list to fit your network configuration.\n", filename); + break; + } + } + + if (sockt->allowed_ip) { + aFree(sockt->allowed_ip); + sockt->allowed_ip = NULL; + } + sockt->allowed_ip_count = 0; + if (sockt->net_config_read_sub(libconfig->lookup(&network_config, "allowed"), &sockt->allowed_ip, &sockt->allowed_ip_count, filename, "allowed") > 0) + ShowStatus("Read information about %d allowed server IP ranges.\n", sockt->allowed_ip_count); + if (sockt->allowed_ip_count == 0) { + ShowError("No allowed server IP ranges configured. This server won't be able to accept connections from any char servers.\n"); + } + for (i = 0; i < sockt->allowed_ip_count; ++i) { + if ((sockt->allowed_ip[i].ip & sockt->allowed_ip[i].mask) == 0) { + ShowWarning("Using a wildcard IP range in the allowed server IPs is NOT RECOMMENDED.\n"); + ShowNotice("Please edit your '%s' allowed list to fit your network configuration.\n", filename); + break; + } + } + libconfig->destroy(&network_config); + return; +} + void socket_defaults(void) { sockt = &sockt_s; @@ -1600,6 +1774,13 @@ void socket_defaults(void) { memset(&sockt->addr_, 0, sizeof(sockt->addr_)); sockt->naddr_ = 0; /* */ + sockt->lan_subnet_count = 0; + sockt->lan_subnet = NULL; + sockt->allowed_ip_count = 0; + sockt->allowed_ip = NULL; + sockt->trusted_ip_count = 0; + sockt->trusted_ip = NULL; + sockt->init = socket_init; sockt->final = socket_final; /* */ @@ -1628,4 +1809,10 @@ void socket_defaults(void) { sockt->ntows = ntows; sockt->getips = socket_getips; sockt->set_eof = set_eof; + + sockt->lan_subnet_check = socket_lan_subnet_check; + sockt->allowed_ip_check = socket_allowed_ip_check; + sockt->trusted_ip_check = socket_trusted_ip_check; + sockt->net_config_read_sub = socket_net_config_read_sub; + sockt->net_config_read = socket_net_config_read; } diff --git a/src/common/socket.h b/src/common/socket.h index bd5d9baa2..26b674d43 100644 --- a/src/common/socket.h +++ b/src/common/socket.h @@ -6,6 +6,7 @@ #define COMMON_SOCKET_H #include "common/cbasetypes.h" +#include "common/conf.h" #ifdef WIN32 # include "common/winapi.h" @@ -105,6 +106,12 @@ struct hSockOpt { unsigned int setTimeo : 1; }; +/// Subnet/IP range in the IP/Mask format. +struct s_subnet { + uint32 ip; + uint32 mask; +}; + /// Use a shortlist of sockets instead of iterating all sessions for sockets /// that have data to send or need eof handling. /// Adapted to use a static array instead of a linked list. @@ -132,6 +139,14 @@ struct socket_interface { /* */ uint32 addr_[16]; // ip addresses of local host (host byte order) int naddr_; // # of ip addresses + + struct s_subnet *lan_subnet; ///< LAN subnets array + int lan_subnet_count; ///< LAN subnets count + struct s_subnet *trusted_ip; ///< Trusted IP ranges array + int trusted_ip_count; ///< Trusted IP ranges count + struct s_subnet *allowed_ip; ///< Allowed server IP ranges array + int allowed_ip_count; ///< Allowed server IP ranges count + /* */ void (*init) (void); void (*final) (void); @@ -165,6 +180,12 @@ struct socket_interface { int (*getips) (uint32* ips, int max); /* */ void (*set_eof) (int fd); + + uint32 (*lan_subnet_check) (uint32 ip, struct s_subnet *info); + bool (*allowed_ip_check) (uint32 ip); + bool (*trusted_ip_check) (uint32 ip); + int (*net_config_read_sub) (config_setting_t *t, struct s_subnet **list, int *count, const char *filename, const char *groupname); + void (*net_config_read) (const char *filename); }; struct socket_interface *sockt; -- cgit v1.2.3-70-g09d2