Restricting Client Cvars (Cvar Checks and sv_consistency)

June 4, 2026 Daemon666 9 min read 12 vizualizări

Some of the oldest CS 1.6 "cheats" are not hacks at all — they are ordinary client cvars set to values that reveal enemies through walls, remove smoke, or brighten models. The engine gives you sv_consistency to force consistent files, and AMX Mod X gives you query_client_cvar to read and reject a client's cvar values. This shows how to use both to close the easy holes.

1. Force file consistency

The engine can require that clients use the server's versions of certain files (player models, sprites, sounds) rather than modified transparent or brightly-colored ones. Enable it in server.cfg:

sv_consistency 1
mp_consistency 1

sv_consistency 1 makes the server enforce a consistency list; mp_consistency 1 in CS specifically forces player model and skin consistency, which blocks the classic bright/see-through player skins. A client with a mismatched forced file is dropped with a consistency error rather than being allowed to play with an advantage.

2. Understand what consistency does and does not catch

Consistency covers files. It does nothing about cvars — a player can still set rendering cvars that the engine honors and that give an edge. That is the gap query_client_cvar fills: it lets a plugin ask a connected client the value of any cvar and act on the answer. The two together — file consistency plus cvar checks — cover the common low-effort cheats. Neither replaces a real anti-cheat for signature hacks.

3. A cvar-enforcement plugin

This plugin queries each player shortly after they join and kicks anyone whose value on a monitored cvar is not allowed. It uses only the core amxmodx API:

#include <amxmodx>

public plugin_init()
{
    register_plugin("CSB Cvar Guard", "1.0", "CSB")
}

public client_putinserver(id)
{
    if (is_user_bot(id) || is_user_hltv(id))
        return
    // give the client a moment to finish connecting
    set_task(3.0, "check_cvars", id)
}

public check_cvars(id)
{
    if (!is_user_connected(id))
        return
    query_client_cvar(id, "r_drawentities", "on_cvar")
    query_client_cvar(id, "gl_wireframe",   "on_cvar")
}

public on_cvar(id, const cvar[], const value[])
{
    // r_drawentities must be 1; anything else is a rendering exploit
    if (equal(cvar, "r_drawentities") && str_to_num(value) != 1)
    {
        server_cmd("kick #%d \"Illegal cvar: r_drawentities\"", get_user_userid(id))
        return
    }
    // gl_wireframe must be 0
    if (equal(cvar, "gl_wireframe") && str_to_num(value) != 0)
    {
        server_cmd("kick #%d \"Illegal cvar: gl_wireframe\"", get_user_userid(id))
        return
    }
}

Compile it, drop the .amxx into addons/amxmodx/plugins/, and add it to plugins.ini. If you would rather not maintain your own, a ready-made version ships as the CSB Cvar Guard plugin with a configurable list.

4. Which cvars are worth checking

Values a legitimate player never needs to change, and which grant an advantage when tampered with:

  • r_drawentities — must be 1; other values can alter how entities render.
  • gl_wireframe — must be 0; non-zero draws wireframe through geometry.
  • gl_zmax, gl_polyoffset — tampering can affect depth/visibility on some renderers.

Keep the list short and well-understood; over-restricting kicks legitimate players on hardware quirks. Do not guess at cvar names — query only ones you have verified exist and matter.

5. Enforce sv_cheats and rates too

Two engine-side basics belong alongside cvar checks: sv_cheats 0 (so cheat-protected cvars like r_fullbright cannot be set at all) and sane rate limits so nobody games the netcode. Both are in the essential server cvars list.

Troubleshooting

  • Consistency kicks legitimate players — your server's forced files differ from stock in a way clients cannot obtain. Make sure the required files are on your FastDL mirror so clients can download the correct versions.
  • query_client_cvar never fires — you queried too early (before the client finished connecting) or the client is a bot/HLTV. Delay with set_task and skip non-players, as the plugin does.
  • Everyone gets kicked — your allowed value is wrong, or the cvar has a different legitimate default than you assumed. Log the values before you kick on them.
  • Cheaters still get through — cvar checks only catch cvar-based tricks; binary aimbots/wallhacks need a dedicated anti-cheat. This is a floor, not a ceiling.
  • Consistency does nothingsv_consistency 0, or nothing is on the consistency list to enforce. Enable both cvars.

Verification

On a test client, set a monitored cvar to a bad value before connecting:

gl_wireframe 1
connect your.server.ip:27015

You should be kicked within a few seconds with the Illegal cvar message. Set it back to 0 and confirm you connect normally. For consistency, join with a modified player model and confirm the server rejects it. When both the file check and the cvar check reject their test cases, the common low-effort cheats are closed.

Contribuitori: Daemon666 ✦
Distribuie: