#186 Client block for clients without ident

u2.10.12
closed-fixed
Entrope
Server (143)
5
2016-10-20
2010-04-12
wiebe
No

I was trying to configure my test server to allow 1 connection per IP for clients without ident reply, and 3 connections per IP for clients with an ident reply, because I was thinking that might be useful for IRC servers. But nothing I tried seemed to work.

I always ended up in the class ident, even though my client did not provide an ident reply. Also tried with username =, but that did not seem to help. I tested a kill block on ~*@* which seemed to work just fine.

If this is not a bug, please consider adding such feature. I think it would be very useful if you can setup client blocks that can match whether the user has an ident reply or not.

Client {
class = "noident";
host = "~~*@*";
ip = "~~*@*";
maxlinks = 1;
};

Client {
class = "noident";
host = "~*@*";
ip = "~*@*";
maxlinks = 1;
};

Client {
class = "noident";
host = "@*";
ip = "@*";
maxlinks = 1;
};

Client {
class = "ident";
host = "*@*";
ip = "*@*";
maxlinks = 3;
};

Kill {
host = "~*@*";
reason = "IDENT required";
};

Discussion

  • David Herrmann

    David Herrmann - 2010-04-12

    As far as I remember, client classes are inserted in a single linked list and thus matched in reverse order compared to your config file order.
    Furthermore, the ircu rejects clients if the first matching client block exceeds the maxlinks-limit instead of searching for other matching client blocks that did not exceed the maxlinks-limit, yet. Hence your example would be totally useless because all clients match your last client block and thus will never be matched against another block.

    However, your can use this fact to achieve your result by changing the order of your config items to:

    Client {
    class = "ident";
    host = "*@*";
    ip = "*@*";
    maxlinks = 3;
    };

    Client {
    class = "noident";
    host = "~*@*";
    ip = "~*@*";
    maxlinks = 1;
    };

    Connecting clients without ident will be put into the "noident" class which allows just one single connections. All clients with ident will be put into the "ident" class which allows three connections.
    This is not tested but I think it should work.

     
  • wiebe

    wiebe - 2010-04-13

    Sorry, I was a bit lazy when positing report. I tried it in that order as well, and I just tried again to make sure, but no, that does not seem to work either.

     
  • Entrope

    Entrope - 2013-08-01

    When you tried the second time, was the "@" block before the "@*" block? Due to a peculiarity in the code, I think that a no-ident client is treated as having an empty username for Client block matching.

    That is, I think it should work if you have just these two rules, in this order, in ircd.conf:

    Client {
    class = "ident";
    host = "@";
    ip = "@";
    maxlinks = 3;
    };

    Client {
    class = "noident";
    host = "@";
    ip = "@
    ";
    maxlinks = 1;
    };

     
  • Entrope

    Entrope - 2013-08-01

    Argh, SourceForge munged my previous post. (What kind of lame injection-avoidance script strips * rather than just escaping it?) For the ident block, it should look like:

    host = "*@*";

    and for the noident block, it should look like:

    host = "@*";

     
  • Entrope

    Entrope - 2016-10-20

    My last comment was wrong -- until now.

    Commit [6e7faac5523c092ba2062432c5e0228bfa7871f4] (make_client: Set initial username to "" rather than "unknown".) makes this work like you asked:

    Client { class = "Local"; ip = "*@127.0.0.1/8"; maxlinks = 3; };
    Client { class = "Local"; ip = "@127.0.0.1/8"; maxlinks = 1; };
    

    The old code would require the second mask to be unknown@127.0.0.1/8, but obviously someone could configure their identd to return that. (s_auth.c rejects empty ident responses.)

     

    Related

    Commit: [6e7faa]

  • Entrope

    Entrope - 2016-10-20
    • status: open --> closed-fixed
    • assigned_to: Entrope
    • Group: --> u2.10.12
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks