Add exempt logic for open proxies

authd/provider.c

@@ -215,6 +215,9 @@ reject_client(struct auth_client *auth, provider_t id, const char *data, const c
 	case PROVIDER_BLACKLIST:
 		reject = 'B';
 		break;
+	case PROVIDER_OPM:
+		reject = 'O';
+		break;
 	default:
 		reject = 'N';
 		break;

include/s_conf.h

@@ -110,6 +110,7 @@ struct ConfItem
 #define CONF_FLAGS_EXTEND_CHANS		0x00080000
 #define CONF_FLAGS_ENCRYPTED            0x00200000
 #define CONF_FLAGS_EXEMPTDNSBL		0x04000000
+#define CONF_FLAGS_EXEMPTPROXY		0x08000000
 
 
 /* Macros for struct ConfItem */
@@ -130,6 +131,7 @@ struct ConfItem
 #define IsConfEncrypted(x)      ((x)->flags & CONF_FLAGS_ENCRYPTED)
 #define IsNeedSasl(x)		((x)->flags & CONF_FLAGS_NEED_SASL)
 #define IsConfExemptDNSBL(x)	((x)->flags & CONF_FLAGS_EXEMPTDNSBL)
+#define IsConfExemptProxy(x)	((x)->flags & CONF_FLAGS_EXEMPTPROXY)
 #define IsConfExtendChans(x)	((x)->flags & CONF_FLAGS_EXTEND_CHANS)
 #define IsConfSSLNeeded(x)	((x)->flags & CONF_FLAGS_NEED_SSL)
 

ircd/newconf.c

@@ -331,22 +331,23 @@ static struct mode_table oper_table[] = {
 };
 
 static struct mode_table auth_table[] = {
-	{"encrypted",		CONF_FLAGS_ENCRYPTED	},
-	{"spoof_notice",	CONF_FLAGS_SPOOF_NOTICE	},
-	{"exceed_limit",	CONF_FLAGS_NOLIMIT	},
-	{"dnsbl_exempt",	CONF_FLAGS_EXEMPTDNSBL	},
-	{"kline_exempt",	CONF_FLAGS_EXEMPTKLINE	},
-	{"flood_exempt",	CONF_FLAGS_EXEMPTFLOOD	},
-	{"spambot_exempt",	CONF_FLAGS_EXEMPTSPAMBOT },
-	{"shide_exempt",	CONF_FLAGS_EXEMPTSHIDE	},
-	{"jupe_exempt",		CONF_FLAGS_EXEMPTJUPE	},
-	{"resv_exempt",		CONF_FLAGS_EXEMPTRESV	},
-	{"no_tilde",		CONF_FLAGS_NO_TILDE	},
-	{"need_ident",		CONF_FLAGS_NEED_IDENTD	},
-	{"have_ident",		CONF_FLAGS_NEED_IDENTD	},
-	{"need_ssl", 		CONF_FLAGS_NEED_SSL	},
-	{"need_sasl",		CONF_FLAGS_NEED_SASL	},
-	{"extend_chans",	CONF_FLAGS_EXTEND_CHANS	},
+	{"encrypted",		CONF_FLAGS_ENCRYPTED		},
+	{"spoof_notice",	CONF_FLAGS_SPOOF_NOTICE		},
+	{"exceed_limit",	CONF_FLAGS_NOLIMIT		},
+	{"dnsbl_exempt",	CONF_FLAGS_EXEMPTDNSBL		},
+	{"proxy_exempt",	CONF_FLAGS_EXEMPTPROXY		},
+	{"kline_exempt",	CONF_FLAGS_EXEMPTKLINE		},
+	{"flood_exempt",	CONF_FLAGS_EXEMPTFLOOD		},
+	{"spambot_exempt",	CONF_FLAGS_EXEMPTSPAMBOT	},
+	{"shide_exempt",	CONF_FLAGS_EXEMPTSHIDE		},
+	{"jupe_exempt",		CONF_FLAGS_EXEMPTJUPE		},
+	{"resv_exempt",		CONF_FLAGS_EXEMPTRESV		},
+	{"no_tilde",		CONF_FLAGS_NO_TILDE		},
+	{"need_ident",		CONF_FLAGS_NEED_IDENTD		},
+	{"have_ident",		CONF_FLAGS_NEED_IDENTD		},
+	{"need_ssl", 		CONF_FLAGS_NEED_SSL		},
+	{"need_sasl",		CONF_FLAGS_NEED_SASL		},
+	{"extend_chans",	CONF_FLAGS_EXTEND_CHANS		},
 	{NULL, 0}
 };
 

ircd/s_user.c

@@ -467,6 +467,34 @@ register_local_user(struct Client *client_p, struct Client *source_p)
 				return CLIENT_EXITED;
 			}
 			break;
+		case 'O':
+			if(IsExemptKline(source_p) || IsConfExemptProxy(aconf))
+			{
+				sendto_one_notice(source_p, ":*** Your IP address %s has been detected as an open proxy (ip:port %s), but you are exempt",
+						source_p->sockhost, source_p->preClient->authd_data);
+			}
+			else
+			{
+				sendto_realops_snomask(SNO_REJ, L_NETWIDE,
+					"Open proxy %s: %s (%s@%s) [%s] [%s]",
+					source_p->preClient->authd_data,
+					source_p->name,
+					source_p->username, source_p->host,
+					IsIPSpoof(source_p) ? "255.255.255.255" : source_p->sockhost,
+					source_p->info);
+
+				ServerStats.is_ref++;
+
+				sendto_one(source_p, form_str(ERR_YOUREBANNEDCREEP),
+						me.name, source_p->name, reason);
+
+				sendto_one_notice(source_p, ":*** Your IP address %s has been detected as an open proxy (ip:port %s)",
+						source_p->sockhost, source_p->preClient->authd_data);
+				add_reject(source_p, NULL, NULL);
+				exit_client(client_p, source_p, &me, "*** Banned (Open proxy)");
+				substitution_free(&varlist);
+				return CLIENT_EXITED;
+			}
 		default:	/* Unknown, but handle the case properly */
 			if (IsExemptKline(source_p))
 			{