Make some more fixes to prod

2025-07-07 19:58:30 +00:00 · 2022-10-19 13:10:00 -07:00 · 2022-10-19 13:10:00 -07:00 · da336b3ea8
commit da336b3ea8
parent 69bee64a59
6 changed files with 90 additions and 28 deletions
--- a/net/http/istestnetip.c
+++ b/net/http/istestnetip.c
@ -24,6 +24,6 @@
 */
 bool IsTestnetIp(uint32_t x) {
  return (((x & 0xFFFFFF00u) == 0xC0000200u) /* 192.0.2.0/24 */ ||
-          ((x & 0xFFFFFF00u) == 0xC0000200u) /* 198.51.100.0/24 */ ||
+          ((x & 0xFFFFFF00u) == 0x0c6336400) /* 198.51.100.0/24 */ ||
          ((x & 0xFFFFFF00u) == 0xCB007100u) /* 203.0.113.0/24 */);
 }
--- a/net/turfwar/.init.lua
+++ b/net/turfwar/.init.lua
@ -18,7 +18,6 @@ RELAY_HEADERS_TO_CLIENT = {
    'Content-Type',
    'Last-Modified',
    'Referrer-Policy',
-    'Vary',
 }

 function OnServerStart()
@ -30,10 +29,27 @@ function OnWorkerStart()
    assert(unix.setrlimit(unix.RLIMIT_RSS, 2*1024*1024))
    assert(unix.setrlimit(unix.RLIMIT_CPU, 2))
    assert(unix.unveil(nil, nil))
-    assert(unix.pledge("stdio inet", nil, unix.PLEDGE_PENALTY_RETURN_EPERM))
+    assert(unix.pledge("stdio inet unix", nil, unix.PLEDGE_PENALTY_RETURN_EPERM))
 end

 function OnHttpRequest()
+    local ip = GetClientAddr()
+    if not IsTrustedIp(ip) then
+        local tok = AcquireToken(ip)
+        if tok < 2 then
+            if Blackhole(ip) then
+                Log(kLogWarn, "banned %s" % {FormatIp(ip)})
+            else
+                Log(kLogWarn, "failed to ban %s" % {FormatIp(ip)})
+            end
+        end
+        if tok < 30 then
+            ServeError(429)
+            SetHeader('Connection', 'close')
+            Log(kLogWarn, "warned %s who has %d tokens" % {FormatIp(ip), tok})
+            return
+        end
+    end
    local url = 'http://127.0.0.1' .. EscapePath(GetPath())
    local name = GetParam('name')
    if name then
@ -49,7 +65,7 @@ function OnHttpRequest()
                   ['Referer'] = GetHeader('Referer'),
                   ['Sec-CH-UA-Platform'] = GetHeader('Sec-CH-UA-Platform'),
                   ['User-Agent'] = GetHeader('User-Agent'),
-                   ['X-Forwarded-For'] = FormatIp(GetClientAddr())}})
+                   ['X-Forwarded-For'] = FormatIp(ip)}})
    if status then
        SetStatus(status)
        for k,v in pairs(RELAY_HEADERS_TO_CLIENT) do
--- a/net/turfwar/blackholed.c
+++ b/net/turfwar/blackholed.c
@ -46,6 +46,7 @@
 #include "libc/sysv/consts/timer.h"
 #include "libc/time/struct/tm.h"
 #include "net/http/http.h"
+#include "net/http/ip.h"
 #include "third_party/getopt/getopt.h"
 #include "third_party/musl/passwd.h"

@ -355,7 +356,7 @@ void WritePid(void) {
 bool IsMyIp(uint32_t ip) {
  uint32_t *p;
  for (p = g_myips; *p; ++p) {
-    if (ip == *p) {
+    if (ip == *p && !IsTestnetIp(ip)) {
      return true;
    }
  }
--- a/net/turfwar/turfwar.c
+++ b/net/turfwar/turfwar.c
@ -1029,8 +1029,6 @@ void *HttpWorker(void *arg) {
                             "Cache-Control: max-age=3600, private\r\n"
                             "Date: ");
          p = FormatDate(p);
-          p = stpcpy(p, "\r\nX-Token-Count: ");
-          p = FormatInt32(p, CountTokens(g_tok.b, ip, TB_CIDR));
          p = stpcpy(p, "\r\nContent-Length: ");
          p = FormatInt32(p, strlen(ipbuf));
          p = stpcpy(p, "\r\n\r\n");