jcs
/subtext
/amendments
/216
telnet: Remove local banning, just use UDP sending to trusted proxy
Since we can't reject connections from banned IPs before opening the
TCP connection and we can get the trusted proxy to block IPs with
UDP messages, just rip local banning out of here.
jcs made amendment 216 about 1 year ago
--- telnet.c Sun Jul 17 00:14:28 2022
+++ telnet.c Sun Jul 17 20:12:36 2022
@@ -126,13 +126,6 @@ static char *udp_ban_rcv_buf;
static wdsEntry udp_ban_wds[2];
static char udp_ban_send_buf[16];
-#define MAX_BANNED_IPS 20
-#define IP_BAN_SECONDS (60 * 30)
-static struct banned_ip {
- ip_addr ip;
- unsigned long time;
-} banned_ips[MAX_BANNED_IPS] = { 0 };
-
/* terminals that will have vt100 set by default */
static const char * vt100_terms[] = {
"ansi",
@@ -148,7 +141,6 @@ void telnet_setup(struct session *session);
void telnet_listen_on_node(struct telnet_node *node);
void telnet_output_iac(struct session *session, const char *iacs,
size_t len);
-bool telnet_ip_is_banned(ip_addr ip);
void telnet_print_busy(struct telnet_node *node);
struct node_funcs telnet_node_funcs = {
@@ -308,17 +300,6 @@ telnet_idle(void)
node->id);
}
- if (!node->from_trusted_proxy &&
- telnet_ip_is_banned(telnet_status_pb.remoteHost)) {
- logger_printf(logger, "[%s] Refusing telnet "
- "connection from banned IP %s", node->name,
- node->ip_s);
- _TCPRelease(&node->listen_pb, node->stream, nil,
- nil, false);
- node->state = TELNET_PB_STATE_UNUSED;
- goto next_node;
- }
-
logger_printf(logger, "[%s] New telnet connection "
"from %s%s", node->name, node->ip_s,
node->from_trusted_proxy ? " (via trusted proxy)" : "");
@@ -839,40 +820,26 @@ telnet_close(struct session *session)
if (node->from_trusted_proxy)
session->ban_node_source = false;
- if (session->ban_node_source && !node->from_trusted_proxy) {
+ if (session->ban_node_source && !node->from_trusted_proxy &&
+ db->config.trusted_proxy_ip != 0 &&
+ db->config.trusted_proxy_udp_port != 0) {
session_log(session, "Closing telnet connection from %s and "
"banning IP", node->ip_s);
- for (n = 0; n <= MAX_BANNED_IPS; n++) {
- if (n == MAX_BANNED_IPS) {
- memmove(banned_ips + sizeof(banned_ips[0]), banned_ips,
- sizeof(banned_ips) - sizeof(banned_ips[0]));
- banned_ips[0].ip = node->ip;
- banned_ips[0].time = Time;
- } else if (banned_ips[n].ip == 0) {
- banned_ips[n].ip = node->ip;
- banned_ips[n].time = Time;
- break;
- }
- }
-
- if (db->config.trusted_proxy_ip != 0 &&
- db->config.trusted_proxy_udp_port != 0) {
- tmp = (unsigned char *)&node->ip;
- len = snprintf(udp_ban_send_buf, sizeof(udp_ban_send_buf),
- "%d.%d.%d.%d", tmp[0], tmp[1], tmp[2], tmp[3]);
- udp_ban_wds[0].ptr = (Ptr)&udp_ban_send_buf;
- udp_ban_wds[0].length = len;
- udp_ban_wds[1].ptr = 0;
- udp_ban_wds[1].length = 0;
+ tmp = (unsigned char *)&node->ip;
+ len = snprintf(udp_ban_send_buf, sizeof(udp_ban_send_buf),
+ "%d.%d.%d.%d", tmp[0], tmp[1], tmp[2], tmp[3]);
+ udp_ban_wds[0].ptr = (Ptr)&udp_ban_send_buf;
+ udp_ban_wds[0].length = len;
+ udp_ban_wds[1].ptr = 0;
+ udp_ban_wds[1].length = 0;
- error = _UDPSend(&udp_ban_pb, udp_ban_stream, udp_ban_wds,
- db->config.trusted_proxy_ip,
- db->config.trusted_proxy_udp_port, NULL, NULL, false);
- if (error)
- session_log(session, "Failed sending IP ban UDP packet: %d",
- error);
- }
+ error = _UDPSend(&udp_ban_pb, udp_ban_stream, udp_ban_wds,
+ db->config.trusted_proxy_ip,
+ db->config.trusted_proxy_udp_port, NULL, NULL, false);
+ if (error)
+ session_log(session, "Failed sending IP ban UDP packet: %d",
+ error);
} else {
session_log(session, "Closing telnet connection from %s",
node->ip_s);
@@ -889,30 +856,6 @@ telnet_close(struct session *session)
session->cookie = NULL;
node->state = TELNET_PB_STATE_UNUSED;
-}
-
-bool
-telnet_ip_is_banned(ip_addr ip)
-{
- short j;
- char ip_s[16];
- bool ret = false;
-
- for (j = 0; j < MAX_BANNED_IPS; j++) {
- if (banned_ips[j].ip && Time > banned_ips[j].time &&
- (Time - banned_ips[j].time > IP_BAN_SECONDS)) {
- long2ip(banned_ips[j].ip, ip_s);
- logger_printf(logger, "[%s] Unbanning IP after %ld seconds",
- ip_s, Time - banned_ips[j].time);
- banned_ips[j].ip = 0;
- continue;
- }
-
- if (banned_ips[j].ip == ip)
- ret = true;
- }
-
- return ret;
}
void
--- telnet.h Thu Feb 10 15:47:50 2022
+++ telnet.h Sun Jul 17 20:13:43 2022
@@ -14,6 +14,9 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#ifndef __TELNET_H__
+#define __TELNET_H__
+
#include "session.h"
void telnet_init(void);
@@ -22,4 +25,6 @@ void telnet_idle(void);
void telnet_atexit(void);
void telnet_close(struct session *session);
short telnet_output(struct session *session);
-short telnet_input(struct session *session);
+short telnet_input(struct session *session);
+
+#endif