#waterfall-github

281e731 Remove remaining CI references - electronicboy

a6ec942 Updated Upstream (Waterfall) - electronicboy

[20:38:49 INFO]: [/IP|Michu_toja_] -> UpstreamBridge has disconnected
[20:38:49 INFO]: [IP|Michu_toja_] DownstreamBridge [lobby] has disconnected

I have well-configured ip addresses, because I can connect to them normally. But when I turn on the waterfall and enter through it, it pops up, and writes that it is impossible to connect to the server (added in the waterfall), I will enter the lobby, but from the lobby to other I can not and in other directions, as I am on survival, then not ...

all we can see from that is that the client disconnected, there is nothing useful in there, check your client logs, etc

585896f don't relay brand messages - electronicboy

Compare changes

e585e7c Exchange Spigot IRC with Esper (#592) - N0tMyFaultOG

Not too sure I really want this on the basis of "now we gotta maintain a docker file", at the very least, this is flawed as it doesn't even copy the modules into place either, and 4G of heap is excessive for the proxy for 99% of people, most memory churning on a supported platform is off-heap

Module copying can be added. The 4G is literally an environment variable; adjust as needed (although the default can be lowered). Anyone who runs a Docker based infrastructure neneds Docker images, so I figured this could help some people.

In the bungeecord jar there is a messages.txt file or something like that

Yes, I see there is a messages.properties file inside the jar, but I feel there should be a way for us to change the messages in a configuration file.

Those messages from /send are not configurable, no idea if there is an upstream issue on that
as for the messages file, just extract the file out of the jar and throw it in the same folder as you run the server from, no need to move anything to a config file, modifying that file outside of the jar has been supported for years

I put out this PR a few days ago actually, if md_5 decides to approve it
https://github.com/SpigotMC/BungeeCord/pull/3015

If md_5 goes ahead with approving it; this PR I posted last week should support your needs
SpigotMC/BungeeCord#3015

That looks great! We only ever send one player at a time, so all that extra info is just totally unnecessary and clogs up the chat. All I want is to see "<player name> has been sent to <server>" or something like that.

Hey developers,

recently a mysterious package from an brazilian IP occured on my server which made it crash. Is there any way to prevent this from happening, so that those packets are automatically rejected?
bungee-package.pdf

i had to put it into a pdf because it's almost 20 din a 4 pages long ...

Thanks in advance,
Cris

https://pastebin.com/ky02MSLe

Please use a paste site instead

https://pastebin.pl/view/ba60cf32

problem of plugin dynamicbungeeauth. not bungeecord or waterfall.

Does waterfall fix the exploits that [2LS] ExploitFixer fixes?

Many of the issues with EF fixes are irrelevant to bungee, however, waterfall fixes many of the other issues where viable, we cannot impede on the behavior of the protocol and generally aim to leave stuff like firewalling to an actual firewall; I do have some stuff incoming down the line when I'm not too ill, but, if exploits are a concern, you'd be better off looking into alternative options like velocity, where many of these issues are not compounded by the software itself

Something, likely on the server, mangled a packet from the server, that looks like a light packet which the proxy doesn't even touch

Looking at PacketLoginInStart in Spigot shows that vanilla Minecraft is limiting the username to 16 bytes, while LoginRequest does not and so up to 32767 bytes could be used.

Anyway, this would only spam the logs. But for web interfaces showing those logs this could potentially insert script code.

Same Problem.

3-5 crash / day

When decoding the data of the LoginRequest packet, up to 32767 bytes can be read although usernames should not be that huge. This commit might prevent issue #594 from happening.

3bac1f3 Limit login request data to 16 bytes (#597) - hochbaum

Thanks for the PR, had been meaning to look into this but tripped into something else

a PR that should resolve this has been pulled

19326fa Updated Upstream (Waterfall) - electronicboy

https://github.com/PaperMC/Waterfall/blob/master/BungeeCord-Patches/0003-Rename-references-from-BungeeCord-to-Waterfall.patch#L51

*** Please download a new build from https://ci.destroystokyo.com/job/Waterfall/ ***

The link requires a GitHub login. If I log in, I get greeted with the following page (see screenshot). I do not understand why authorization would be required for a download. If it is not a mistake and an auth really is required for whatever reason, maybe redirect to a webp...

Well, that patch I linked is actually overridden by a different patch: https://github.com/PaperMC/Waterfall/blob/281e7310b8999ef9cbaaf3ba348bfa50f9d531f9/BungeeCord-Patches/0034-Improve-outdated-build-message.patch#L16

I found this while searching for the same issue on Travertine.

I guess you have some redundant stuff in there, but whatever, I'm closing this issue, since it does not exist in reality.

I just want to mention that there are actively community-maintained Dockerfiles for Waterfall (https://github.com/itzg/docker-bungeecord). As @electronicboy said this would allow focusing on Waterfall itself more in this repository and not having the struggle to maintain an unneccessary Dockerfile additionally.

hi i have problem with waterfall sometimes when my members disconnect from a server they will not get removed from the waterfall server

there’s noOne in survival named unknown but in waterfall it says he’s in survival

Patch got included in upstream.

What should i do？

The issue tracker is for reporting issues, not seeking support, you're also using a stupendously old version of travertine.
As for the error, can't say, that exception covers many general "we failed to connect scenarios", generally network configuration related

Hi

I saw this issue on a new exploit and updated my Waterfall Proxy so we're running the newest build; Waterfall-Bootstrap:1.16-R0.4-SNAPSHOT:2eae08f:393

Today we were hit by (I believe?) the same attack, causing some interruption.
At first this is spammed in the console; https://pastebin.com/c28c1kna
Then this: https://pastebin.com/jwMsncRt
And finally Session server times out, because of too many requests I guess; https://pastebin....

obviously not fake ips, as it is tcp connection.

"Obviously" the usernames are fake...
The IPs are proxys/vpn, not someones home connection :)

Some more mitigations regarding this are being worked on. For now have some patience please.

Some more mitigations regarding this are being worked on. For now have some patience please.

Yes of course.
I wasn't sure if this was 'my' problem or something you needed to work on 👍

Hi, I'm having issues with latest travertine release. I think you need to update bungeecord API

That's not even remotely the latest release

Upstream has released updates that appears to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

BungeeCord Changes:
3d701fbe #3028: Add protocol level string length limits
e95da111 Bump Netty/SnakeYAML/MySQL versions

Minor edits: Remove readString method from 0048-Use-proper-max-length-for-serverbound-chat-packet.patch
Reason: Now included in upstream

b3e5814 Updated Upstream (BungeeCord) (#601) - Xernium

Upstream has released updates that appears to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

Waterfall Changes:
b3e5814 Updated Upstream (BungeeCord) (#601)
3bac1f3 Limit login request data to 16 bytes (#597)

4323ca9 Updated Upstream (Waterfall) (#151) - Xernium

Hello there, i have been target of a lot of ratkids attacking my server recently, my server is premium (for those haters that were going to say, online-mode: true).

I received a lot of different attacks and i could collect the console output of 3 of them:
1: https://i.imgur.com/UvrYZzo.png
2: https://i.imgur.com/66xqRZH.png
3: https://i.imgur.com/amtBSos.png

I know theres another one that profits from "query_enabled" and spams the console with "Incorrect magic" or "Invalid magic".

...

Duplicate of #600
Rest assured, this is being worked on.

Really a nice job. But I am getting some errors with 20w51a and 21w03a recently.
The first one is that any potion effect will cause player disconnect, but the console log is normal.
The second one is this:
[Netty Worker IO Thread #7/WARN]: [/39.187.231.241:31521|lky] <-> DownstreamBridge <-> [PreviewServer] - overflow in packet detected! Cannot receive string longer than Short.MAX_VALUE (got 1822273 characters)

Really hope that there can be a fix on this. Thanks!

@Xuwznln I can not reproduce your issue.
<img width="1552" alt="Bildschirmfoto 2021-01-31 um 14 46 30" src="https://user-images.githubusercontent.com/10787350/106386016-43b33780-63d3-11eb-9ae8-d21734aa7f78.png">
Please provide me with:

• Description of your setup
• Complete list of plugins on the proxy (yes those matter a lot in this case as they may not work with the snapshots)
• Complete list of mods or plugins on the downstream server
• A way to reproduce this issue

Snapshot 21w03a Waterfall
21w03a fabric server with fabric-installer-0.6.1.51_2 and fabric-api-0.29.5+1.17
and other paper servers.

proxy plugins:

• BungeeResourcepacks
• LuckPerms
• SkinsRestorer
• BungeeCommandBlocker
• PartyAndFriends
• AnnouncementsEverywhere
• Triton
• Friends-Online-Info-On-Join-For-PAF
• BungeePluginManager
• TTCW
• AntiFakePlayer
• BungeeTabListPlus
• BungeeBan

fabric server mods:

• fabric-api-0.29.5+1.17
• fabric-carpet-21w03a-1.4.24 v210120
  -...

@Xuwznln It has to be a plugin or mod causing this. I don't suspect its the carpet mod on the server, I suspect its a Bungee plugin. I tried it with a 1.16.5 paper server with the ViaVersion-dev release and a snapshot server running the same fabric, fabric-api and fabric-proxy. Please try to find it by removing plugins one by one until it stops.

Recently more overload DoS attacks have been observed on Minecraft proxies.
@astei mitigated these types of attacks on the Velocity project by introducing an upfront check for packet sizes
The commit in question can be found here

This patch aims to bring the same mitigations found in Velocity to Waterfall.
Additionally, this patch contains some additional mitigations by limiting the generation...

2c5c954 Additional DoS Mitigations for the login sequen... - Xernium

Upstream has released updates that appears to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

Waterfall Changes:
2c5c954 Additional DoS Mitigations for the login sequence (#603)
b3e5814 Updated Upstream (BungeeCord) (#601)

bd883ac Updated Upstream (Waterfall) (#152) - Xernium

Currently (Version: 1.16.4 / #393) when a player connects to the proxy, when another connection for the same player is still online (out of whichever reasons), it can happen that the login event for the new connection is called before the old connection has their disconnect.

This situation can lead to some problems for custom plugins / development with the order of events and you can't make sure that the order is always disconnect and than login. So you maybe have to do some ma...

Yes, I do found the plugin named BungeeResourcePacks causing preview clients to disconnect.
I am going to create a issue there, thanks for your help.

It seems like this the disconnect that happens when the player is already online is an intentionally detached/async event that detaches here:

https://github.com/SpigotMC/BungeeCord/blob/master/proxy/src/main/java/net/md_5/bungee/netty/ChannelWrapper.java#L83

From:
https://github.com/SpigotMC/BungeeCord/blob/c987ee199d3ec93ce13469deefb1e2787d97147c/proxy/src/main/java/net/md_5/bungee/connection/InitialHandler.java#L485
refers to:
https://github.com/SpigotMC/BungeeCord/blob/c987ee199d3...

This probably can’t/won’t be fixed by paper. You should open an issue upstream on Bungeecord as this is a design change we probably won’t accommodate

I already found an open issue in Bungeecord #https://github.com/SpigotMC/BungeeCord/issues/2815 for that which aims at my problem described. But this has been open and unprocessed for a long time.

A user has already added his draft there. Maybe the paper team could take a look at it. This wrong order of the events can lead to the fact that custom user data from plugins could be first loaded and then removed again by the subsequent disconnect, which is very annoying and certainly so many de...

The draft mentioned in this issue doesn’t take a lot of channel logic into account. Fact of the matter is that to actually get this to follow the right order a completeable future would have to be issued from the Channel disconnect future of the existing client. That isn’t the greatest of ideas as this part of the login sequence is rather time-critical and it can take several seconds or more to complete the disconnect event as you want to wait on that. The player should be identifiable by ses...

Yes you are right. The design is probably not the best. But I don't think handling user data on the basis of the session is a good idea either, as this complicates the whole thing very much.

I can understand the point with the time-critical behavior to a limited extent. In general, it should be the exceptional case that a player tries to connect with a second connection and if this happens, then the time span of the login does not really matter.

Due to this fact, I currently regulate ...

Step 1: Don't use windows server
Step 2: Profit

Step 1: Don't use windows server

I don't. I just test on my local pc which is windows.

hi :)

Hi, I'm using the latest waterfall jar and for some unknown reason when I added one plugin to my skyblock server I got this error.

ServerConnector [skyblock] - encountered exception: net.md_5.bungee.util.QuietException: Unexpected packet received during server login process!

Please at least provide information about the plugin in question. Everything else considered this issue is most likely invalid. If you provide info about the plugin we might still take a look regardless.

The plugin was GenCubes, and the error it gave me on skyblock is the reason: Internal Exception: io.netty.handler.codec.DecoderException: java.io.IOException: Packet 0/0 (PacketPlayInTeleportAccept) was larger than I expected, found 6 bytes extra whilst reading packet 0

Something installed on the proxy is mangling the packet registry

Hi,
I'm using Waterfall version git:Waterfall-Bootstrap:1.16-R0.5-SNAPSHOT:c031df1:395. However, when I try to login to one particular server which is my skyblock server I get this error on the proxy.
[18:32:20] [Netty Worker IO Thread #2/INFO]: [_DJDan] ServerConnector [skyblock] has connected
[18:32:20] [Netty Worker IO Thread #2/ERROR]: [_DJDan ServerConnector [skyblock] - encountered exception: net.md_5.bungee.util.QuietException: Unexpected packet received during server login proc...

Duplicate of #605 (your issue?) Feel free to hop into #waterfall-help on Discord if you need more help.

While I agree that this whole system seems kinda weird, could we still merge this in as a bandaid fix? The change makes sense imo

This is a bandaid-fix for an issue that should never occur-
This should only ever occur if proxy uses "Fast switching" (or its inherent logic) when it shouldn't. In any other case we shouldn't end up here.
Todo: Amend Patch 0046 Provide an option to disable entity metadata rewriting to reflect this.
ALSO TODO:
Add a new patch to detect a modded connection and disallow the fast-switching method and the inherent limitations such as this one on connection being established for the rest...

Minor nag before this is merged; The patch name needs to be amended

Hello there.

The recent DoS fixes did not really do much (at least in my case). I have a sample of the java application used for sending attacks. For security reasons, I uploaded it here with a password. A developer/staff member can request me to remove the password should you wish for everyone to be able to grab this tool. Otherwise, you can contact me on Discord (OpenSource#2021) to get the file password.

Launch attack command: `java -jar jar...

Being personally honest, there is only so much we can do about DDoS attacks, they take advantage of the fundamental nature of software exposed to the internet: they accept connections.

We can deal with some aspects, e.g. reducing the impact of eronious data, but, large number of connections being opened to one machine, that's out of the bounds of what waterfall can sanely defend against. Configure your firewall and look at proper load balancing to mitigate these things, such is the modern ...

Hello Waterfall team, I have a problem:

Players connecting to 1.16.5 servers cannot return to 1.12.2 servers. Whenever a player uses the / lobby command to return to spawn, they are disconnected with the fallback message. However, going from one 1.12.2 server to another 1.12.2 server does not happen.
In the Waterfall console this message is displayed: [xx: xx: xx WARN]: No client connected for pending server!
![2021-02-09_15 11 38_2](https://user-images.githubusercontent.com/55663598/107...

Note: This already occurred in 1.16.4

Upstream bridge has disconnected

The client disconnected, which is why it's saying that there is no client connected, because it disconnected. You'd need to look further into your logs, maybe check the clients, etc.

@electronicboy

I analysed a pcap dump from him and based on that, bad connections are just not closed in a reasonable timeframe, like at max 0.5 seconds. They are not even closed in the full length of 2 seconds of his pcap dump. This happens because bungeecord is still waiting for the "Login Start" packet (the packet with the name field) to finish over the wire, before handling it and noticing that its too big. When this happens with thousands of connections, it gets overloaded.

The pro...

There is always further stuff we can do, I cannot however commit too much due to personal health; If somebody wants to submit a PR in the meantime I can look into it, but a lot of these issues would be dealt with better in firewall vs trying to deal with app code; Stuff like this would be much easier to pull off outside of bungee due to the way the entire stack is setup

I'll put something together.

#607

Check the first 4 packet lengths already in Varint21FrameDecoder, Handshake packet got minimum and maximum limits as well.
Also time out connections which were not able to send a completed packet within the limit. This might improve recovery after attacks.

@Janmm14 thank you very much for pointing out the importance of this issue and the ways on how to fix it 🙂

There is always further stuff we can do, I cannot however commit too much due to personal health; If somebody wants to submit a PR in the meantime I can look into it, but a lot of these issues would be dealt with better in firewall vs trying to deal with app code; Stuff like this would be much easier to pull off outside of bungee due to the way the entire stack is setup

Unfortunately...

with my health in particular, my interest/ability to dig deep into these issues, especially to solve stuff in a manner that doesn't involve just rewriting parts of the entire system and breaking plugins, etc. None of the things PR'd are actual fixes to the issues but workarounds to the side-effects of it, my personal interest in playing cat and mouse to resolve these issues when I have catastrophic health conditions and am not paid for this is severely limited, especially around issues which ...

@Games4k Could you try attacking my fix? Download in the PR.

@Games4k Could you try attacking my fix? Download in the PR.

Of course. I'll check it out tomorrow for you 🙂.

Great news @Janmm14. It seems to be fully patched :)

Should we add the channel not active checks from Varint21FrameDecoder and others also to PacketDecompressor and CipherDecoder?

Please don't copy classes just like that. Instead you could store a Boolean to materialise the limit(s) when the decoder is conceptualised.

Again, use an additional boolean bit instead

Instead of doing this, put it together with the same length sanity checks that are already in this patch and move it to a papermc package class

If I want to edit the initChannel method signature, I'd have to remove it's extends ChannelInitializer<Channel>.
I thought I'd be worse to edit class hierarchy, that is why I did it with the constructor parameter.

I already put it together through the max length constants above. Otherwise please explain in more detail what you think.

Ok, once the other points are cleared, I'll remove this one.

Hi I do not know why I got this problem.
I am using network, dedicated..
And using FastLogin for /premium.

[13:56:38 ERROR]: Error authenticating Sr_Rawr with minecraft.net
io.netty.channel.ConnectTimeoutException: connection timed out: sessionserver.mojang.com/143.204.163.105:443
at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$2.run(AbstractEpollChannel.java:576) ~[waterfall-1.16-395.jar:git:Waterfall-Bootstrap:1.16-R0.5-SNAPSHOT:c031df1:395]
at io....

offline mode does not use encryprion stuff.

Oh yeah forgot about that. Will add a check for that.

@McRageRecoded crybaby

I've put in higher limits to account for offline mode.

Removed

Please elaborate what you mean with boolean bit. I think this change is reasonable. I've also just further reduced the impact of the change by providing a default constructor for the Base class.

I've done some git magic and we have the patch now describes it as a file copy.
If that is not clean enough for you, I can happily add a constructor boolean to enable/disable limiting behaviour in Varint21FrameDecoder.

Moved LimitedVarint21FrameDecoder to a papermc package class. For the other part of your message, please explain in more detail what you mean.

I just tried using the PR'd version, but no success. Still getting DoS attacks.

@Xernium Can you please elaborate why this would create a race condition?

Nevermind, both PR'd versions seem to maintain the bug:

@Pemigrade You incorrectly assumed that the problem you got is related to the problem of @Games4k.
However it is not related at all.
It is your AntiVPN plugin here which for some unknown reason uses the mojang api.

Oh looks like I save my updates to my message in here. I talked to Games4k and we agreed that it's not the same issue that you were having. Just deleted my messages! Sorry for the confusion.

I'm also getting the the server you were previously on went down, you have been connected to a fallback server Disconnect message, this happens about 1 out of 4 times I switch servers from my 1.16.5 Survival server to my 1.8 Lobby (w/ Via Version on the proxy). No errors are shown on the proxy server nor on the two game-servers.

This happens on both Waterfall versions I have tested (The lastest release 395, and release 393).

Proxy Plugins
![image](https://user-images.githubuserco...

merge?

Hello, I'm currently experiencing a problem when I switch servers from my 1.16.5 Survival server to my 1.8 Lobby (w/ Via Version on the proxy).

This happens roughly around 1 out of 4 attempts I switch server (From Survival to Lobby) and sometimes there's an error in console regarding this but there have been multiple times without an error provided.

This happens on both Waterfall versions I have tested (The lastest release 395, and release 393).

This error looks like it's related to ...

We don't support protocol hacks, that exception also generally states that you had invalid entity metadata, either a bungeecord issue (which you'd need to reproduce on a 1.16 server and provide instructions), or an issue with your protocol hack or some plugin hiding behind it

This will have to be increased or removed - Minecraft-specific DDoS protection services such as TCPShield and Cosmic Guard like to stuff extra data in the handshake address field.

I will put in a property switch to set the maximum size for that packet then.

I am sure there are many waterfall users not using such ddos protections, they need the limit.

255 characters is plenty for our (TCPShield) purposes.

It is also multiplied by 4 for the heaviest utf-8 chars taking 4 bytes, so its actually much more, if you just use 1 or 2 byte utf-8 chars only.
Then I guess it is not needed in this case to allow editing this value.

huh

@Xernium I got a question when will 20w07a will be released i tried updating it myself but it seems some off the packets might have changed and i have totally no knowledge bout java. Thank you if can add me on discord ComPieter#0001

@TheCompieter Was busy yesterday. Done.

Still better than wasting resources on a exception that someone can exploit by just sending tons of null packet chats

Ports my Paper PR (https://github.com/PaperMC/Paper/pull/5205) to here. kill me.

Works well from my testing

565c857 Add support for hex color codes in console (#612) - JRoy

bc3e393 Updated Upstream (BungeeCord) - electronicboy

d562007 Updated Upstream (Waterfall) - electronicboy

The same as https://github.com/PaperMC/Paper/pull/4842.

@Xernium expressed interest in working on this a while back, I believe.

Ports https://github.com/PaperMC/Paper/pull/5228

9a1d6a1 Port Log4J converter fixes from Paper (#614) - JRoy

77b89f5 Updated Upstream (Waterfall) - electronicboy

See https://github.com/PaperMC/Paper/pull/5252

See https://github.com/PaperMC/Paper/issues/5248

Thank you.

any update?

I'm ill, so my capacity to throw mental energy into stuff like this is limited and so I value the commentary made by others in the community with experience

Please don't bump PRs unless you have something to add, have you tested it? does it work? etc

57c175c bump log4j version - electronicboy

fe43b76 Updated Upstream (Waterfall) - electronicboy

07617c8 Fix further issues with rgb text pattern matchi... - JRoy

4ef9bab Updated Upstream (BungeeCord) - electronicboy

Error when logging in the server by wayf of the waterfall:

This server has mods that require FML/Forge to be installed on the client. Contact your server admin for more details.

Except that, mods are present on the client with forge 1.16.5 (3306).

ip-forwarding true with forge true in the config.yml in waterfall config.
On the forge server (I use Mohist 1.16.5) there are bungeccord: true in spigot.yml and in the bungee.yml : connexion-throttles = -1.

Duplicate of #450

I noticed here, try

https://github.com/ArclightPowered/lightfall
https://github.com/ArclightPowered/lightfall-client

This is what I found when browsing Github recently, the project works in 1.15.x-1.16.x bungee-forge

Lightfall is a good example attempt but is not a solution as it requires a client side mixin patch to work.

The implementation of that patch is very basic and doesn't clean up any registries so it's bound to cause problems. In that state it can't be added into Forge.

@PurpleIsEverything here is how my implementation looks like for now

1. Server list has a second ping response type to indicate PROXY and mark it with an extra type compatible icon
2. Upon connection to the proxy, before login plugin messages start a proxy:identify payload is communicated.
3. Proxy then starts connection to downstream and sends proxy:ready back to the client.
4. Client connects to the server
5. Upon switching servers a proxy:reconnect payload is sent from the proxy to th...

See, personally, am not too sure about the UUID, i guess it works, would just need to be exposed in the API, I was more thinking potentially something which can be signed so that the server doesn't need to deal with storing stuff, but, uuid is more portable 🤷

I’ve tried many things and among long convoluted hacks that try to reset the client state without closing the connection- No. Forge mods can’t be expected to be completely reset if you do that. The only way to be sure is to force a complete disconnect so the client must undergo a full new connection. It’s also the most maintainable way

a full reconnect is what I was proposing to lex, given that it offers a cleaner state, just there would need to be some form of token passed

or, well, what we where discussion, not too sure who entirely proposed it, that discussion was a little while ago

Whatever implementation is used it's going to require modifications to Forge on the client to handle the reset.

A proper PR into Forge likely involves a more complete reset hook and event to make sure mods are aware of the transition.

it's a balance between, do we make mods responsible for it and hope they catch up, or, just have a more blanket system for it which generally works as expected across the entire board

There still should be a transition hook or event to allow for less hacky mod support while working with a blanket system.

With 1.16 still quite early in the dev cycle if the implementation is simple enough it's probably not a huge ask.

@PurpleIsEverything Right. I have some family matters to take care off of. If I have the time I’ll get something out to you to test.

If one of the parent folders has a space character Travertine will not compile.

You had the same problem in #140 and again the solution was to remove the spaces from your path.

You had the same problem in #140 and again the solution was to remove the spaces from your path.

Id like having it fixed so i don't run into the same problem everytime i have a folder with spaces.

You've not even provided the error, build issues due to mangled environments are not all that high of a priority for me to run around replicating

Aight, this is the error.

It would be really poggers if we could change some of the chat logging to have custom locale, especially the errors.
The current setup is really technical for an end users experience, ex.

It would be much preferable if we could just edit a config file to whatever we wanted it to be
or at the very minimum, disable the chat logging.

You can extract the messages.properties file from the proxy jar and place it in the folder where the proxy runs and then modify any of the locale you want in there

Please don't bump PRs unless you have something to add, have you tested it? does it work? etc

In the issue, the issue creator already wrote that it does fix the exploit.

I think the changes done in this PR are quite straightforward and it should get merged soon.

I'm happy to assist when problems arise due to this change.

One thing that might change is the way the software reacts when another bungee with ip/uuid/skin forwarding enabled is pointed to a waterfall instance with this...

a singular (set of) test(s) in a very specific environment is not really a good means of knowing that such a patch is ready to pull, this patch feels too heavily implementation detailed for me in some areas, has this been tested with any mod packs or anything like that for example?

Ah yeah I forgot the stuff which mods might do. My bad.

I guess we'll have to wait for some people who use Waterfall in combination with modpacks to see if forge / any modpack sends long data in the first 4 packets to test it out.
While I am happy to assist with potential errors arising due to mods (like increasing the already big limits or adding some config option to only check the first 3 instead of 4 packets or so), I don't feel like digging into modpack server & client installations ...

Hello!
I am using Waterfall 1.16 but whenever i try to join i get this error
disconnected with: Exception Connecting:BadPacketException : Unexpected packet received during server connector process!
my config

server_connect_timeout: 5000
listeners:
- query_port: 25565
  host: 0.0.0.0:25565
  motd: 'no lol'
  max_players: 1
  force_default_server: false
  tab_size: 60
  forced_hosts:
    pvp.md-5.net: pvp
  tab_list: GLOBAL_PING
  bind_local_address: true
  ping_passthrough...

Duplicate of https://github.com/PaperMC/Waterfall/issues/605.

If you need further assistance, we'd be happy to help you on Discord in #waterfall-help.

Hello can someone help me please? Some players are getting kicked with this message: NativeIoException : readAddress(..) failed: Connection reset by peer

the connection was closed in an unexpected manner

Exception Connecting:decoderException:net.md_5.bungee.protocl.badpacketException:unsupportedprotocol version 5 @ io.netty.handler.codec.MessageToMessageDecoder:98

Hub/waterfall running viaversion/backwards so u can join threw 1.16.5-1.7.10
The forge server is 1.7.10 (ftb infinity)
The hub is 1.12.2

Waterfall doesn't support 1.7.10, you need Travertine

oh ok thx

[09:29:20 INFO]: [/127.0.0.1:58763] InitialHandler has pinged
[09:29:24 INFO]: [/127.0.0.1:58764] InitialHandler has connected
[09:29:24 WARN] [io.netty.util.concurrent.AbstractEventExecutor]: A task raised an exception. Task: net.md_5.bungee.connection.InitialHandler$6$1@2f3eb76d
java.lang.ClassCastException: java.util.LinkedHashMap incompatible with java.util.Collection
at net.md_5.bungee.conf.YamlConfig.getPermissions(YamlConfig.java:329) ~[waterfall-1.16-403.jar:git:Waterfal...

your configuration is invalid, I recommend using a proper perm plugin in general, e.g. LuckPerms

Your permissions configuration is corrupt

Ok.

need to look at creating/"yoinking" issue templates from paper, the lack of issue templates creates some overheads and it would be nice to link people to the discord for general support, etc

We had some issues getting waterfall to compile against 11, might take another stab at it at some point but getting the java 11 stuff working is a goal, I don't however use windows, so generally maintaining libs for platforms I don't use is generally an issue, and given that linux in general is the most popular platform for running the proxy, non-linux platforms are shamefully not a high priority here (I do use macOS, but, not really a platform I specifically aim to put too much effort for op...

There is a error message pop up when player downstream from my live server.

log:
https://pastebin.com/g3Dih3zy

currently, does have any clue on how to reproduce this problem and don't know what will it affect

Disable entity meta rewriting in the waterfall.yml
This might be a plugin or mod not completely adhering to the strict requirements of this feature.

I've been using this build for a long time now, and I can confirm that on a normal Waterfall with a moderate amount of players, some plugins, and continuous bot/DDoS attacks (I run a JH AntiBot test server), it performed really well. No issues at all. This is a MUST to be merged. Default Bungee implementation is not only allowing for a network overload, but also getting overloaded itself, consuming an unlimited amount of RAM during the attack, which does not get cleared automatically, eve...

Rebased onto latest waterfall changes, mainly for my CI.

forgot I'd already created this

We have templates-v2 (what Paper has) now, if anyone wants to get on that before I do ^_^

[20:44:47 ERROR]: [/127.0.0.1:57726] InitialHandler - encountered exception: net.md_5.bungee.util.QuietException: Unexpected packet received during login process! 4554202f20485454502f312e310d0a55

Its someone typing minecraft address into the web browser.

Previously there was no way of getting the commands issued by the console & there was no way of customizing the messages sent to the sender after executing a command.

This pull request will change this now.

You know that you reopenend this on Waterfall and not on BungeeCord?

cb25ad5 Updated Upstream (BungeeCord) - electronicboy

Upstream has released updates that appears to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

Waterfall Changes:
cb25ad5 Updated Upstream (BungeeCord)
4ef9bab Updated Upstream (BungeeCord)
07617c8 Fix further issues with rgb text pattern matching (#615)

296c62b Updated Upstream (Waterfall) (#155) - riku6460

I have seen an issue where if a server send the tabcompletelist too bungeecord it doesn't reset on server switch which should happen and request a new tabcompletelist from the joined server am i correct?

ComPieter1, that doesn't have anything to do with that pull request.

I forgot totally about that PR. As there are some better ideas (Paper's brigadier implementation) I'll close that PR.

Tab completion isn't updated correctly on a server switch like from hub to survival it also keeps the hubs tab completions and if tab complete is disabled on survival it will override that.
What should happen is that the tab should be cleared on a switch and be asked from the server which the player joins not keep the old one. (sorry for my horrible english it's pretty late lol)

Bump

Hello Waterfall community, i'm owning a smaller minecraft server with about 50 max concurrent players.
I am recently facing bot attacks where multiple ips (proxies?) connected to the bungeecord, each allocating 16MB direct memory and thus rendering the server unusable.

I've allocated 512MB memory to bungeecord, which was plently for the last 3 years. I still doubled it to 1 gig for now, but the DOS "attack" still manages to fill the ram in seconds.

This exception is spammed to console ...

You could argue that this is a ddos attack and can't be fixed by bungeecord/waterfall.

Yes thats true, bungeecoord/waterfall had many exploits but md5 claims that they don't even work xd, waterfall does something but still their "antidos" is trash.

However, the host machine was using about 30% cpu and 10% of it's network resources, it's really only bungeecord that is struggeling to keep up with that many requests.

Imo bungeecord has fucked networking system, even vanilla's one is...

Imo bungeecord has fucked networking system, even vanilla's one is better xd.
Does velocity do any better? Maybe it's worth switching... It's a big hustle porting all plugins so can't just make the decision without knowing it will be worth it :/

Do you have the beginning of the attack ? (the logs before the java.lang.OutOfMemoryError: Direct buffer memory) ?

@narumii
This offensive language will not get you anywhere. You did not provide any useful information.

I suggest that the maintainers of waterfall delete your comment.

I suggest that you try out #609, there's also a link to a test Waterfall jar in there. That might help with your problem.

Do you have the beginning of the attack ? (the logs before the java.lang.OutOfMemoryError: Direct buffer memory) ?

Here is the log from 5 minutes before the attack:
https://pastebin.com/FrMPjp4G

In short, this:
[22:30:00] [Netty Worker IO Thread #2/WARN]: [/CENSORED:57820] <-> InitialHandler - bad packet ID, are mods in use!? VarInt too big

Do you have the beginning of the attack ? (the logs before the java.lang.OutOfMemoryError: Direct buffer memory) ?

Here is the log from 5 minutes before the attack:
https://pastebin.com/FrMPjp4G

In short, this:
[22:30:00] [Netty Worker IO Thread #2/WARN]: [/CENSORED:57820] <-> InitialHandler - bad packet ID, are mods in use!? VarInt too big

Is that amount of server list pings normal for your server?

@narumii
This offensive language will not get you anywhere. You did not provide any useful information.

I suggest that the maintainers of waterfall delete your comment.

I suggest that you try out #609, there's also a link to a test Waterfall jar in there. That might help with your problem.

Yeah telling truth is offensive :(
Big "DoS mitigations" that doens't works, also "DoS mitigations" from velocity doesn't work properly idk why /shrug

There is a difference between telling the truth and just being an ass about
it

Each event pipeline thread iirc gets its own native buffer, this would
imply that too many event threads fired up or something, don't think there
is an actual leak here but I have no means to reproduce this to
investigate. Many of these issues can be mitigated with basic configuration
of s firewall to throttle connections in the event of an attack

On Sat, 10 Apr 2021, 18:28 なるみ, @.***> wrote:

@narumii <h...

Is that amount of server list pings normal for your server?

Yeah pretty much. 2-3 pings per second is what i would consider normal.

Many of these issues can be mitigated with basic configuration of s firewall to throttle connections in the event of an attack

As already mentioned, i am rate limiting connections, filetering bad packets and limiting total connections per ip.
How about telling the "basic firewall configruation" so i can configure mine.

this specific case doesn't look like a basic firewall setup will help, I think I know what they're doing and it's shamefully an artifact of a service exposed to the internet doing its job, I think I have a way to limit the damage but will impact performance for some people relying on certain aspects of how netty works already

8455800 Updated Upstream (BungeeCord) - electronicboy

8275df5 Updated Upstream (Waterfall) - electronicboy

I'm now running the test version from @Janmm14.
I will let you know if it helped or not should the attackers do their thing again.
I've noticed no issues so far.

4960583 Add native macos DNS resolver - electronicboy

51c4e52 Updated Upstream (Waterfall) - electronicboy

Such a important pull request is not gonna be merged any time soon. Multiple large hosting providers have tried to "mitigate" it with firewall, but idk how do you expect to block legit Minecraft connections (bots) with firewall... I've been using this for months and there are just no issues. Why waiting more? Reject it or accept it...

Because I'm ill and do not have the time to answer the questions I've asked myself, and apparently nobody else has cared to put in the effort either.

if you want to help get this pulled, please, answer the question for us, go test in supported modded environments.

I'm inclined to close this pr, my health is generally shot and the attitude/demands I get over this PR far exceeds the people willing to actually answer and address the concerns I have. For a free project I don't get a cent for, I'm not all that inclined to throw much mental energy into such a questionable PR which nobody else wants to throw the effort into either

Such a important pull request is not gonna be merged any time soon. Multiple large hosting providers have tried to "mitigate" it with firewall, but idk how do you expect to block legit Minecraft connections (bots) with firewall... I've been using this for months and there are just no issues. Why waiting more? Reject it or accept it...

Your condescending attitude is unhelpful. Leave it at the door.

This looks extremely janky. Why do we not parse what the packet is first, then to check expected packet length which is already defined in their classes?

@Proximyst wrote:
This looks extremely janky. Why do we not parse what the packet is first, then to check expected packet length which is already defined in their classes?

That is already done by the current version of the patch this PR modifies.

The attack sends a large packet size and sends the data very slowly but frequently enough to not trigger a timeout (as the timeout handler is before the Varint21FrameDecoder). This causes the connections to stay open for a long time w...

the server already has a thing to limit how long a client can spend on LOGIN, iirc, maybe worth looking at how long that allowed and such

https://github.com/SpigotMC/BungeeCord/pull/3066

No additional reports of this, I don't have a windows machine and chasing down endless problems with an OS I don't have the means to test on and where reproduction of these issues is generally spotty as all heck, I have 0 interest in wasting my time on.

if somebody can spot the issue, feel free to open a PR, but I will not be investing personal time into terminal support issues on windows

not a waterfall issue, the server sends the tab completion post join which updates the client and replaces its existing tab completion, issues like this are generally down to plugins breaking the tab completion stuff or misconfiguration of the server itself, e.g. disabling tab completion in spigot.yml

no further reports of this and every instance of this in the past has been traced back to plugins

Seems like there is no real interest in this issue, pressing escape has 0 bearing on the proxy itself and suggests that some mod really doesn't like server transfers, there are some things in the proxy these days which can help but chasing down edge case issues with 200 in 1 mod packs is not something I can commit to

Java does not cooperate that well with Docker. We have experienced a lot of OOM issues on our network and we managed to fix our issues with our proxy by allocating twice the proxy heap uses in overhead.

The primary reason is because aside from JVM overhead you need to also have room for direct buffers, which can get big.

One startup option I would recommend is . By default Netty pools up to 16MiB buffers and Minecraft only sends packets 2MiB in size, maximum. This option will bring it d...

We need to look into applying this automatically,

ref: #627
Bungee creates an event pool with 0 limitations, which means that it's pretty easy to drain a system of resources if you're able to take advantage of this

#628

This is already built into log4j

Maybe it'd be good to manually define -XX:MaxDirectMemorySize=size (I think the default is identical to Xmx) as well.

that's a JVM flag, we can't control that programmatically afaik?
increasing that also generally doesn't solve the issue as draining resources is pretty trivial still, biggest thing I think would be to try to reduce the default buffer size and maybe look at making the event look bounded with a config option and maybe some auto guesstimation maths for default

c19c477 Only ignore empty packets from the server (Fixe... - electronicboy

I know thats a jvm flag, so with manually i meant to check if we should ask users to use a lower max heap and allow for more direct mem than max heap as kind of workaround in case this happens in scenarios without abuse.

Closing, many of these have been reduced as much as viable without going too gross

closing, no further reports of this and the theories pointed above seem to fall inline with one or two other commits on their repos, we can't entirely do too much with plugins bundling in odd versions of stuff which conflicts with internals

PR already exists on bungee but appears to have 0 interest, there is very little interest for such a weird system for such a niche use-case when it can be trivially implemented by a plugin

many issues like this have been severely neutered over the past god knows how long

0 further reports on this and this is all generally controlled by the client, if this is an issue one would need to provide more detailed info or reproduction info

that is not force default, that's ping passthrough

Got this issue today, disconnected and cant reconnect
You are already connected to this proxy

After some investigation it looks like the problems has it's source from a server connected to the Proxy, and not the Proxy itself, for the server, I didn't disconnect.

Looking back at this, we never send this stuff unless we actually get it ourself? Guessing that this is purely a proto-hack thing and not something I'm going to invest time into unless people can reproduce without such hacks

c7fc74f Fix compilation in paths with spaces (Fixes #154) - electronicboy

abaa610 Add ServerConnectRequest#sendFeedback - electronicboy

6702e0f Put ReadTimeoutHandler after frame decoder. - Janmm14

2a1d806 Updated Upstream (Waterfall) - electronicboy

https://github.com/PaperMC/Waterfall/commit/6702e0f69b2fa32c1046d277ade2107e22ba9134

With the recent threat of sophicisticated backdoor malware plugins over on spigotmc, it should be considered that PaperMC uses some sort of certificate to sign their official builds of Waterfall. Could also be self-signed for 999 years or so. This allows for better checking of jar file modifications and some jar file modifications might even be stopped from running.

literally takes 5 seconds for malware to just delete or just change signature data. Just don't download sketchy stuff.

Would still hinder existing malware. People might also use the tool by java to check the license in their start script / in a cronjob etc.

test

sorry it didn't work

people with less experience are not going to spend their time verifying that their jar is valid each time, nor is signing nightly builds a good security practice at all, if there is a system that would be compromised on our side, it's all giving them access to the entire distro chain

I try to connect to my forge server from another spigot server and nothing happends.
This is what shows up in the console:

[00:53:05] [Netty Worker IO Thread #1/INFO]: [Rankzy|/127.0.0.1:64231]  ServerConnector [Sammycraft] has connected
[00:53:05] [Netty Worker IO Thread #1/INFO]: [Rankzy|/127.0.0.1:64231]  ServerConnector [Sammycraft] has disconnected

The only fix i found is to set "online_mode: false" but this removes player skins and causes other issues.

sorry I don't understand forks in git / github :P

The server disconnected you, this is generally as forge doesn't support IP forwarding so has no clue what to do, you need sponge for this to work, basically, or find a mod which supports IP forwarding; Depending on the mods installed, you may need to mess around with the settings in waterfall.yml, specifically aspects like tab rewriting and entity metadata

server ping error

0 useful info to go off, best I could guess is that something mangled a packet or something, replicate without plugins

Hey so recently commit (c19c4771deb96ad88e01781674d7d716dd10d3c0) was dropped which blocks empty packets from players, but allows them from the server-side. I don't understand why this change has been made because now players are always getting kicked for these empty packets and I would like to know how these empty packets are created and how we could prevent them. We did upgrade Waterfall to the latest version to fix a crasher but now our players are being kicked for the reason said above.

d43773a server is the client and not server is the serv... - electronicboy

Flag seems to represent the wrong thing, so, this is fixed
Your server is sending empty packets, i.e. packets which are empty (yet still framed)
This is generally caused by janky plugins messing with server internals

Tested this without any plugins and still presists on waterfall i only have on the hub world edit as a test and second server the tab complete disabled in spigot which does cause waterfall too override the tabcomplete while it should be disabled.

Waterfall doesn't send a command definition structure to reset this, it relies on the fact that the server sends it on server switching

So basicly saying that spigot/paper should send a reset on join? instead of literately doing nothing i assume?

Made an issue by paper itself thank you for helping.

May add getting started and/or link the bungeecord getting startet.

Can you please be a bit more descriptive what exactly you want?

Sorry,
It would be great if you could add a bit better documentation. If you want to start a new project, you just got the information how to get the API. I just started and don't know how can I start with the plugin.

It would be nice if there was an "Getting started" section where the basics are shown. Enrtry point to the plugin (onEnable())

Like this:

Getting Started

Hello World

@Override
public void onEnable() {
    getLogger().info("Hello World");
}

...

I believe the MCDev plugin for IntelliJ starts you off fairly well. Regardless, this is better suited for https://github.com/PaperMC/PaperDocs repo instead, and for all platforms.

As waterfall is a fork of bungeecord, just use the available documentation of bungeecord at https://www.spigotmc.org/wiki/bungeecord-plugin-development/

e782e77 Set Netty pooled buffer size to 4MB - astei

https://github.com/PaperMC/Waterfall/commit/e782e77edf184ddea7ce5e7c33bcac567fc8b0d5

Please update Upstream from Waterfall

please fix this, have problems when players teleport alot between Servers

Please don't bump PRs unless you have something to add
I've already stated why I'm not fond of this PR, I'm not going to merge something in I'm not happy with unless it's ultimately needed and no better solutions exist.

as I've stated elsewhere, on the basis that this is only holding registration stuff and the brand, I'd much more be inclined if we just stored a list of registered channels and resend those, rather than storing the full plugin message, same for the brand too, offers a much...

There's another thing or two I wanna do over the next few days before I deal with upstreaming, the biggest change can already be applied by tweaking your JVM flags

Good Work

This seems like a great idea, especially to add to the list of platforms with native support, which further allows for the scale of cross compatibility that I think Adventure is designed around. I don’t want to seem like I’m trying to take over or anything, but I’d love to give this one a go, modelling after Paper’s implementation of this. I’ll see what I can come up with and make a PR.

Feel free to @BomBardyGamer
I just lack the time currently. And that’s probably not changing soon