Annotate

mod_firewall/mod_firewall.lua @ 2968:569b98d6fca1

mod_http_logging: Be robust against missing connection object
author Kim Alvefur <zash@zash.se>
date Fri, 30 Mar 2018 13:37:39 +0200
parent 2928:b0d92332b87f
child 3981:7e8f2e36419d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
2 local lfs = require "lfs";
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local resolve_relative_path = require "core.configmanager".resolve_relative_path;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local logger = require "util.logger".init;
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
5 local it = require "util.iterators";
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
6 local set = require "util.set";
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
2579
5e948d1392a5 mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents: 2578
diff changeset
8 -- [definition_type] = definition_factory(param)
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
9 local definitions = module:shared("definitions");
2579
5e948d1392a5 mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents: 2578
diff changeset
10
5e948d1392a5 mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents: 2578
diff changeset
11 -- When a definition instance has been instantiated, it lives here
5e948d1392a5 mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents: 2578
diff changeset
12 -- [definition_type][definition_name] = definition_object
2374
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
13 local active_definitions = {
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
14 ZONE = {
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
15 -- Default zone that includes all local hosts
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
16 ["$local"] = setmetatable({}, { __index = prosody.hosts });
2527
5ff7eb601d60 mod_firewall: Code formatting
Matthew Wild <mwild1@gmail.com>
parents: 2526
diff changeset
17 };
2374
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
18 };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19
2113
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
20 local default_chains = {
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 preroute = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 type = "event";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 "pre-message/bare", "pre-message/full", "pre-message/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 "pre-presence/bare", "pre-presence/full", "pre-presence/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 "pre-iq/bare", "pre-iq/full", "pre-iq/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 deliver = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 type = "event";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 "message/bare", "message/full", "message/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 "presence/bare", "presence/full", "presence/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 "iq/bare", "iq/full", "iq/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 deliver_remote = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 type = "event"; "route/remote";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40
2113
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
41 local extra_chains = module:get_option("firewall_extra_chains", {});
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
42
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
43 local chains = {};
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
44 for k,v in pairs(default_chains) do
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
45 chains[k] = v;
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
46 end
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
47 for k,v in pairs(extra_chains) do
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
48 chains[k] = v;
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
49 end
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
50
2124
89363766202c mod_firewall: Add comment to document idsafe()
Matthew Wild <mwild1@gmail.com>
parents: 2118
diff changeset
51 -- Returns the input if it is safe to be used as a variable name, otherwise nil
2099
a8c701631d0b mod_firewall: Make idsafe() a global function so libraries can re-use it
Matthew Wild <mwild1@gmail.com>
parents: 2080
diff changeset
52 function idsafe(name)
2527
5ff7eb601d60 mod_firewall: Code formatting
Matthew Wild <mwild1@gmail.com>
parents: 2526
diff changeset
53 return name:match("^%a[%w_]*$");
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
54 end
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
55
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
56 local meta_funcs = {
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
57 bare = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
58 return "jid_bare("..code..")", {"jid_bare"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
59 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
60 node = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
61 return "(jid_split("..code.."))", {"jid_split"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
62 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
63 host = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
64 return "(select(2, jid_split("..code..")))", {"jid_split"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
65 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
66 resource = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
67 return "(select(3, jid_split("..code..")))", {"jid_split"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
68 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
69 };
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
70
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
71 -- Run quoted (%q) strings through this to allow them to contain code. e.g.: LOG=Received: $(stanza:top_tag())
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
72 function meta(s, deps, extra)
2385
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
73 return (s:gsub("$(%b())", function (expr)
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
74 expr = expr:gsub("\\(.)", "%1");
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
75 return [["..tostring(]]..expr..[[).."]];
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
76 end)
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
77 :gsub("$(%b<>)", function (expr)
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
78 expr = expr:sub(2,-2);
2538
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
79 local default = "<undefined>";
2561
3da0e3c917cc mod_firewall: Accept backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents: 2558
diff changeset
80 expr = expr:gsub("||(%b\"\")$", function (default_string)
3da0e3c917cc mod_firewall: Accept backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents: 2558
diff changeset
81 default = stripslashes(default_string:sub(2,-2));
2538
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
82 return "";
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
83 end);
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
84 local func_chain = expr:match("|[%w|]+$");
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
85 if func_chain then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
86 expr = expr:sub(1, -1-#func_chain);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
87 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
88 local code;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
89 if expr:match("^@") then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
90 -- Skip stanza:find() for simple attribute lookup
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
91 local attr_name = expr:sub(2);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
92 if deps and (attr_name == "to" or attr_name == "from" or attr_name == "type") then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
93 -- These attributes may be cached in locals
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
94 code = attr_name;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
95 table.insert(deps, attr_name);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
96 else
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
97 code = "stanza.attr["..("%q"):format(attr_name).."]";
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
98 end
2524
0404476ecfe3 mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents: 2520
diff changeset
99 elseif expr:match("^%w+#$") then
0404476ecfe3 mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents: 2520
diff changeset
100 code = ("stanza:get_child_text(%q)"):format(expr:sub(1, -2));
2368
7e1d8c46d788 mod_firewall: Support for default values in stanza paths
Matthew Wild <mwild1@gmail.com>
parents: 2367
diff changeset
101 else
2524
0404476ecfe3 mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents: 2520
diff changeset
102 code = ("stanza:find(%q)"):format(expr);
2368
7e1d8c46d788 mod_firewall: Support for default values in stanza paths
Matthew Wild <mwild1@gmail.com>
parents: 2367
diff changeset
103 end
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
104 if func_chain then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
105 for func_name in func_chain:gmatch("|(%w+)") do
2573
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
106 -- to/from are already available in local variables, use those if possible
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
107 if (code == "to" or code == "from") and func_name == "bare" then
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
108 code = "bare_"..code;
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
109 table.insert(deps, code);
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
110 elseif (code == "to" or code == "from") and (func_name == "node" or func_name == "host" or func_name == "resource") then
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
111 table.insert(deps, "split_"..code);
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
112 code = code.."_"..func_name;
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
113 else
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
114 assert(meta_funcs[func_name], "unknown function: "..func_name);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
115 local new_code, new_deps = meta_funcs[func_name](code);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
116 code = new_code;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
117 if new_deps and #new_deps > 0 then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
118 assert(deps, "function not supported here: "..func_name);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
119 for _, dep in ipairs(new_deps) do
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
120 table.insert(deps, dep);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
121 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
122 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
123 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
124 end
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
125 end
2538
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
126 return "\"..tostring("..code.." or "..("%q"):format(default)..")..\"";
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
127 end)
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
128 :gsub("$$(%a+)", extra or {})
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
129 :gsub([[^""%.%.]], "")
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
130 :gsub([[%.%.""$]], ""));
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
131 end
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
132
2547
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
133 function metaq(s, ...)
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
134 return meta(("%q"):format(s), ...);
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
135 end
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
136
2546
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
137 local escape_chars = {
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
138 a = "\a", b = "\b", f = "\f", n = "\n", r = "\r", t = "\t",
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
139 v = "\v", ["\\"] = "\\", ["\""] = "\"", ["\'"] = "\'"
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
140 };
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
141 function stripslashes(s)
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
142 return (s:gsub("\\(.)", escape_chars));
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
143 end
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
144
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
145 -- Dependency locations:
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
146 -- <type lib>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
147 -- <type global>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
148 -- function handler()
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
149 -- <local deps>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
150 -- if <conditions> then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
151 -- <actions>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
152 -- end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
153 -- end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
154
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
155 local available_deps = {
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
156 st = { global_code = [[local st = require "util.stanza";]]};
2544
223eea31588d mod_firewall: Add it(erators) and it_count dependencies
Matthew Wild <mwild1@gmail.com>
parents: 2543
diff changeset
157 it = { global_code = [[local it = require "util.iterators";]]};
223eea31588d mod_firewall: Add it(erators) and it_count dependencies
Matthew Wild <mwild1@gmail.com>
parents: 2543
diff changeset
158 it_count = { global_code = [[local it_count = it.count;]], depends = { "it" } };
2548
ce08a57e516b mod_firewall: Add 'current_host' variable/dependency
Matthew Wild <mwild1@gmail.com>
parents: 2547
diff changeset
159 current_host = { global_code = [[local current_host = module.host;]] };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
160 jid_split = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
161 global_code = [[local jid_split = require "util.jid".split;]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
162 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
163 jid_bare = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
164 global_code = [[local jid_bare = require "util.jid".bare;]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
165 };
2412
9159f9166893 mod_firewall: Use the sender bare JID instead of 'to' for stanzas to self
Kim Alvefur <zash@zash.se>
parents: 2404
diff changeset
166 to = { local_code = [[local to = stanza.attr.to or jid_bare(session.full_jid);]]; depends = { "jid_bare" } };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
167 from = { local_code = [[local from = stanza.attr.from;]] };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
168 type = { local_code = [[local type = stanza.attr.type;]] };
2415
07d7036040ee mod_firewall: Insert semicolons after some statements to prevent ambiguous syntax in output (fixes #797)
Kim Alvefur <zash@zash.se>
parents: 2412
diff changeset
169 name = { local_code = [[local name = stanza.name;]] };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
170 split_to = { -- The stanza's split to address
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
171 depends = { "jid_split", "to" };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
172 local_code = [[local to_node, to_host, to_resource = jid_split(to);]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
173 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
174 split_from = { -- The stanza's split from address
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
175 depends = { "jid_split", "from" };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
176 local_code = [[local from_node, from_host, from_resource = jid_split(from);]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
177 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
178 bare_to = { depends = { "jid_bare", "to" }, local_code = "local bare_to = jid_bare(to)"};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
179 bare_from = { depends = { "jid_bare", "from" }, local_code = "local bare_from = jid_bare(from)"};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
180 group_contains = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
181 global_code = [[local group_contains = module:depends("groups").group_contains]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
182 };
2418
ef95853cf900 mod_firewall: More semicolons
Kim Alvefur <zash@zash.se>
parents: 2416
diff changeset
183 is_admin = { global_code = [[local is_admin = require "core.usermanager".is_admin;]]};
ef95853cf900 mod_firewall: More semicolons
Kim Alvefur <zash@zash.se>
parents: 2416
diff changeset
184 core_post_stanza = { global_code = [[local core_post_stanza = prosody.core_post_stanza;]] };
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
185 zone = { global_code = function (zone)
2928
b0d92332b87f mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents: 2894
diff changeset
186 local var = zone;
b0d92332b87f mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents: 2894
diff changeset
187 if var == "$local" then
b0d92332b87f mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents: 2894
diff changeset
188 var = "_local"; -- See #1090
b0d92332b87f mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents: 2894
diff changeset
189 else
b0d92332b87f mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents: 2894
diff changeset
190 assert(idsafe(var), "Invalid zone name: "..zone);
b0d92332b87f mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents: 2894
diff changeset
191 end
b0d92332b87f mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents: 2894
diff changeset
192 return ("local zone_%s = zones[%q] or {};"):format(var, zone);
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
193 end };
966
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
194 date_time = { global_code = [[local os_date = os.date]]; local_code = [[local current_date_time = os_date("*t");]] };
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
195 time = { local_code = function (what)
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
196 local defs = {};
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
197 for field in what:gmatch("%a+") do
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
198 table.insert(defs, ("local current_%s = current_date_time.%s;"):format(field, field));
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
199 end
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
200 return table.concat(defs, " ");
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
201 end, depends = { "date_time" }; };
2418
ef95853cf900 mod_firewall: More semicolons
Kim Alvefur <zash@zash.se>
parents: 2416
diff changeset
202 timestamp = { global_code = [[local get_time = require "socket".gettime;]]; local_code = [[local current_timestamp = get_time();]]; };
2128
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
203 globalthrottle = {
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
204 global_code = function (throttle)
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
205 assert(idsafe(throttle), "Invalid rate limit name: "..throttle);
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
206 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle);
2128
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
207 return ("local global_throttle_%s = rates.%s:single();"):format(throttle, throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
208 end;
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
209 };
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
210 multithrottle = {
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
211 global_code = function (throttle)
2130
9239893a2400 mod_firewall: Don't use util.cache unless it's needed, and add explanatory error if it is not available
Matthew Wild <mwild1@gmail.com>
parents: 2128
diff changeset
212 assert(pcall(require, "util.cache"), "Using LIMIT with 'on' requires Prosody 0.10 or higher");
2128
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
213 assert(idsafe(throttle), "Invalid rate limit name: "..throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
214 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
215 return ("local multi_throttle_%s = rates.%s:multi();"):format(throttle, throttle);
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
216 end;
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
217 };
2402
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
218 rostermanager = {
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
219 global_code = [[local rostermanager = require "core.rostermanager";]];
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
220 };
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2130
diff changeset
221 roster_entry = {
2416
ade918cd9ca7 mod_firewall: Only call rostermanager if username is available (fixes #796)
Kim Alvefur <zash@zash.se>
parents: 2415
diff changeset
222 local_code = [[local roster_entry = (to_node and rostermanager.load_roster(to_node, to_host) or {})[bare_from];]];
2402
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
223 depends = { "rostermanager", "split_to", "bare_from" };
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
224 };
2520
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
225 list = { global_code = function (list)
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
226 assert(idsafe(list), "Invalid list name: "..list);
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
227 assert(active_definitions.LIST[list], "Unknown list: "..list);
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
228 return ("local list_%s = lists[%q];"):format(list, list);
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
229 end
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
230 };
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
231 search = {
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
232 local_code = function (search_name)
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
233 local search_path = assert(active_definitions.SEARCH[search_name], "Undefined search path: "..search_name);
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
234 return ("local search_%s = tostring(stanza:find(%q) or \"\")"):format(search_name, search_path);
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
235 end;
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
236 };
2543
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
237 pattern = {
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
238 local_code = function (pattern_name)
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
239 local pattern = assert(active_definitions.PATTERN[pattern_name], "Undefined pattern: "..pattern_name);
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
240 return ("local pattern_%s = %q"):format(pattern_name, pattern);
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
241 end;
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
242 };
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
243 tokens = {
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
244 local_code = function (search_and_pattern)
2584
d64fc9c3cffd mod_firewall: Remove ambiguity from tokens dep parameter
Matthew Wild <mwild1@gmail.com>
parents: 2583
diff changeset
245 local search_name, pattern_name = search_and_pattern:match("^([^%-]+)-(.+)$");
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
246 local code = ([[local tokens_%s_%s = {};
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
247 if search_%s then
2543
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
248 for s in search_%s:gmatch(pattern_%s) do
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
249 tokens_%s_%s[s] = true;
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
250 end
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
251 end
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
252 ]]):format(search_name, pattern_name, search_name, search_name, pattern_name, search_name, pattern_name);
2543
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
253 return code, { "search:"..search_name, "pattern:"..pattern_name };
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
254 end;
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
255 };
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
256 scan_list = {
2533
9aed7f4e9f07 mod_firewall: Fix scan_list() syntax error in generated code
Matthew Wild <mwild1@gmail.com>
parents: 2528
diff changeset
257 global_code = [[local function scan_list(list, items) for item in pairs(items) do if list:contains(item) then return true; end end end]];
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
258 }
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
259 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
260
2077
368b091e723b mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents: 2076
diff changeset
261 local function include_dep(dependency, code)
368b091e723b mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents: 2076
diff changeset
262 local dep, dep_param = dependency:match("^([^:]+):?(.*)$");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
263 local dep_info = available_deps[dep];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
264 if not dep_info then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
265 module:log("error", "Dependency not found: %s", dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
266 return;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
267 end
2583
b6b10f57aa56 mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents: 2580
diff changeset
268 if code.included_deps[dependency] ~= nil then
b6b10f57aa56 mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents: 2580
diff changeset
269 if code.included_deps[dependency] ~= true then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
270 module:log("error", "Circular dependency on %s", dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
271 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
272 return;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
273 end
2583
b6b10f57aa56 mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents: 2580
diff changeset
274 code.included_deps[dependency] = false; -- Pending flag (used to detect circular references)
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
275 for _, dep_dep in ipairs(dep_info.depends or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
276 include_dep(dep_dep, code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
277 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
278 if dep_info.global_code then
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
279 if dep_param ~= "" then
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
280 local global_code, deps = dep_info.global_code(dep_param);
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
281 if deps then
2562
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
282 for _, dep_dep in ipairs(deps) do
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
283 include_dep(dep_dep, code);
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
284 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
285 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
286 table.insert(code.global_header, global_code);
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
287 else
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
288 table.insert(code.global_header, dep_info.global_code);
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
289 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
290 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
291 if dep_info.local_code then
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
292 if dep_param ~= "" then
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
293 local local_code, deps = dep_info.local_code(dep_param);
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
294 if deps then
2562
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
295 for _, dep_dep in ipairs(deps) do
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
296 include_dep(dep_dep, code);
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
297 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
298 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
299 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..local_code.."\n");
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
300 else
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
301 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code.."\n");
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
302 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
303 end
2583
b6b10f57aa56 mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents: 2580
diff changeset
304 code.included_deps[dependency] = true;
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
305 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
306
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
307 local definition_handlers = module:require("definitions");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
308 local condition_handlers = module:require("conditions");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
309 local action_handlers = module:require("actions");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
310
2894
165d2877eeac mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents: 2859
diff changeset
311 if module:get_option_boolean("firewall_experimental_user_marks", false) then
165d2877eeac mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents: 2859
diff changeset
312 module:require"marks";
165d2877eeac mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents: 2859
diff changeset
313 end
165d2877eeac mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents: 2859
diff changeset
314
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
315 local function new_rule(ruleset, chain)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
316 assert(chain, "no chain specified");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
317 local rule = { conditions = {}, actions = {}, deps = {} };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
318 table.insert(ruleset[chain], rule);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
319 return rule;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
320 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
321
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
322 local function parse_firewall_rules(filename)
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
323 local line_no = 0;
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
324
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
325 local function errmsg(err)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
326 return "Error compiling "..filename.." on line "..line_no..": "..err;
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
327 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
328
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
329 local ruleset = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
330 deliver = {};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
331 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
332
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
333 local chain = "deliver"; -- Default chain
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
334 local rule;
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
335
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
336 local file, err = io.open(filename);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
337 if not file then return nil, err; end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
338
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
339 local state; -- nil -> "rules" -> "actions" -> nil -> ...
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
340
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
341 local line_hold;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
342 for line in file:lines() do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
343 line = line:match("^%s*(.-)%s*$");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
344 if line_hold and line:sub(-1,-1) ~= "\\" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
345 line = line_hold..line;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
346 line_hold = nil;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
347 elseif line:sub(-1,-1) == "\\" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
348 line_hold = (line_hold or "")..line:sub(1,-2);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
349 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
350 line_no = line_no + 1;
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
351
2080
a435db77a5e5 mod_firewall: Silence warning about empty if branch [luacheck]
Kim Alvefur <zash@zash.se>
parents: 2078
diff changeset
352 if line_hold or line:find("^[#;]") then -- luacheck: ignore 542
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
353 -- No action; comment or partial line
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
354 elseif line == "" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
355 if state == "rules" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
356 return nil, ("Expected an action on line %d for preceding criteria")
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
357 :format(line_no);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
358 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
359 state = nil;
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
360 elseif not(state) and line:sub(1, 2) == "::" then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
361 chain = line:gsub("^::%s*", "");
980
aeb11522a44f mod_firewall: Fix variable name
Kim Alvefur <zash@zash.se>
parents: 971
diff changeset
362 local chain_info = chains[chain];
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
363 if not chain_info then
2364
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
364 if chain:match("^user/") then
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
365 chains[chain] = { type = "event", priority = 1, pass_return = false };
2364
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
366 else
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
367 return nil, errmsg("Unknown chain: "..chain);
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
368 end
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
369 elseif chain_info.type ~= "event" then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
370 return nil, errmsg("Only event chains supported at the moment");
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
371 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
372 ruleset[chain] = ruleset[chain] or {};
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
373 elseif not(state) and line:sub(1,1) == "%" then -- Definition (zone, limit, etc.)
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
374 local what, name = line:match("^%%%s*(%w+) +([^ :]+)");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
375 if not definition_handlers[what] then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
376 return nil, errmsg("Definition of unknown object: "..what);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
377 elseif not name or not idsafe(name) then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
378 return nil, errmsg("Invalid "..what.." name");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
379 end
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
380
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
381 local val = line:match(": ?(.*)$");
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
382 if not val and line:find(":<") then -- Read from file
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
383 local fn = line:match(":< ?(.-)%s*$");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
384 if not fn then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
385 return nil, errmsg("Unable to parse filename");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
386 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
387 local f, err = io.open(fn);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
388 if not f then return nil, errmsg(err); end
2526
b2fc41001c8e mod_firewall: Fix pattern
Matthew Wild <mwild1@gmail.com>
parents: 2525
diff changeset
389 val = f:read("*a"):gsub("\r?\n", " "):gsub("%s+$", "");
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
390 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
391 if not val then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
392 return nil, errmsg("No value given for definition");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
393 end
2550
19a182651a9b mod_firewall: Allow backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents: 2549
diff changeset
394 val = stripslashes(val);
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
395 local ok, ret = pcall(definition_handlers[what], name, val);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
396 if not ok then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
397 return nil, errmsg(ret);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
398 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
399
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
400 if not active_definitions[what] then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
401 active_definitions[what] = {};
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
402 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
403 active_definitions[what][name] = ret;
2539
1510b66a43fc mod_firewall: Allow using spaces instead of underscores in actions, as well as conditions
Matthew Wild <mwild1@gmail.com>
parents: 2538
diff changeset
404 elseif line:find("^[%w_ ]+[%.=]") then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
405 -- Action
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
406 if state == nil then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
407 -- This is a standalone action with no conditions
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
408 rule = new_rule(ruleset, chain);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
409 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
410 state = "actions";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
411 -- Action handlers?
2539
1510b66a43fc mod_firewall: Allow using spaces instead of underscores in actions, as well as conditions
Matthew Wild <mwild1@gmail.com>
parents: 2538
diff changeset
412 local action = line:match("^[%w_ ]+"):upper():gsub(" ", "_");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
413 if not action_handlers[action] then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
414 return nil, ("Unknown action on line %d: %s"):format(line_no, action or "<unknown>");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
415 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
416 table.insert(rule.actions, "-- "..line)
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
417 local ok, action_string, action_deps = pcall(action_handlers[action], line:match("=(.+)$"));
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
418 if not ok then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
419 return nil, errmsg(action_string);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
420 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
421 table.insert(rule.actions, action_string);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
422 for _, dep in ipairs(action_deps or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
423 table.insert(rule.deps, dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
424 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
425 elseif state == "actions" then -- state is actions but action pattern did not match
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
426 state = nil; -- Awaiting next rule, etc.
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
427 table.insert(ruleset[chain], rule);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
428 rule = nil;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
429 else
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
430 if not state then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
431 state = "rules";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
432 rule = new_rule(ruleset, chain);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
433 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
434 -- Check standard modifiers for the condition (e.g. NOT)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
435 local negated;
2404
9af2d36567a8 mod_firewall: Allow conditions to end with a question mark
Kim Alvefur <zash@zash.se>
parents: 2402
diff changeset
436 local condition = line:match("^[^:=%.?]*");
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
437 if condition:find("%f[%w]NOT%f[^%w]") then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
438 local s, e = condition:match("%f[%w]()NOT()%f[^%w]");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
439 condition = (condition:sub(1,s-1)..condition:sub(e+1, -1)):match("^%s*(.-)%s*$");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
440 negated = true;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
441 end
998
6fdcebbd2284 mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents: 996
diff changeset
442 condition = condition:gsub(" ", "_");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
443 if not condition_handlers[condition] then
998
6fdcebbd2284 mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents: 996
diff changeset
444 return nil, ("Unknown condition on line %d: %s"):format(line_no, (condition:gsub("_", " ")));
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
445 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
446 -- Get the code for this condition
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
447 local ok, condition_code, condition_deps = pcall(condition_handlers[condition], line:match(":%s?(.+)$"));
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
448 if not ok then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
449 return nil, errmsg(condition_code);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
450 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
451 if negated then condition_code = "not("..condition_code..")"; end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
452 table.insert(rule.conditions, condition_code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
453 for _, dep in ipairs(condition_deps or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
454 table.insert(rule.deps, dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
455 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
456 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
457 end
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
458 return ruleset;
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
459 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
460
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
461 local function process_firewall_rules(ruleset)
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
462 -- Compile ruleset and return complete code
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
463
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
464 local chain_handlers = {};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
465
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
466 -- Loop through the chains in the parsed ruleset (e.g. incoming, outgoing)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
467 for chain_name, rules in pairs(ruleset) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
468 local code = { included_deps = {}, global_header = {} };
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
469 local condition_uses = {};
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
470 -- This inner loop assumes chain is an event-based, not a filter-based
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
471 -- chain (filter-based will be added later)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
472 for _, rule in ipairs(rules) do
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
473 for _, condition in ipairs(rule.conditions) do
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
474 if condition:find("^not%(.+%)$") then
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
475 condition = condition:match("^not%((.+)%)$");
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
476 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
477 condition_uses[condition] = (condition_uses[condition] or 0) + 1;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
478 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
479 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
480
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
481 local condition_cache, n_conditions = {}, 0;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
482 for _, rule in ipairs(rules) do
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
483 for _, dep in ipairs(rule.deps) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
484 include_dep(dep, code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
485 end
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
486 table.insert(code, "\n\t\t");
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
487 local rule_code;
967
a88f33fe6970 mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents: 966
diff changeset
488 if #rule.conditions > 0 then
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
489 for i, condition in ipairs(rule.conditions) do
1001
c0850793b716 mod_firewall: don't use %b() (not technically correct)
Matthew Wild <mwild1@gmail.com>
parents: 999
diff changeset
490 local negated = condition:match("^not%(.+%)$");
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
491 if negated then
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
492 condition = condition:match("^not%((.+)%)$");
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
493 end
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
494 if condition_uses[condition] > 1 then
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
495 local name = condition_cache[condition];
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
496 if not name then
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
497 n_conditions = n_conditions + 1;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
498 name = "condition"..n_conditions;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
499 condition_cache[condition] = name;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
500 table.insert(code, "local "..name.." = "..condition..";\n\t\t");
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
501 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
502 rule.conditions[i] = (negated and "not(" or "")..name..(negated and ")" or "");
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
503 else
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
504 rule.conditions[i] = (negated and "not(" or "(")..condition..")";
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
505 end
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
506 end
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
507
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
508 rule_code = "if "..table.concat(rule.conditions, " and ").." then\n\t\t\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
509 ..table.concat(rule.actions, "\n\t\t\t")
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
510 .."\n\t\tend\n";
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
511 else
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
512 rule_code = table.concat(rule.actions, "\n\t\t");
967
a88f33fe6970 mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents: 966
diff changeset
513 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
514 table.insert(code, rule_code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
515 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
516
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
517 for name in pairs(definition_handlers) do
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
518 table.insert(code.global_header, 1, "local "..name:lower().."s = definitions."..name..";");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
519 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
520
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
521 local code_string = "return function (definitions, fire_event, log, module, pass_return)\n\t"
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
522 ..table.concat(code.global_header, "\n\t")
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
523 .."\n\tlocal db = require 'util.debug';\n\n\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
524 .."return function (event)\n\t\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
525 .."local stanza, session = event.stanza, event.origin;\n"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
526 ..table.concat(code, "")
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
527 .."\n\tend;\nend";
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
528
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
529 chain_handlers[chain_name] = code_string;
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
530 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
531
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
532 return chain_handlers;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
533 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
534
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
535 local function compile_firewall_rules(filename)
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
536 local ruleset, err = parse_firewall_rules(filename);
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
537 if not ruleset then return nil, err; end
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
538 local chain_handlers = process_firewall_rules(ruleset);
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
539 return chain_handlers;
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
540 end
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
541
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
542 -- Compile handler code into a factory that produces a valid event handler. Factory accepts
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
543 -- a value to be returned on PASS
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
544 local function compile_handler(code_string, filename)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
545 -- Prepare event handler function
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
546 local chunk, err = loadstring(code_string, "="..filename);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
547 if not chunk then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
548 return nil, "Error compiling (probably a compiler bug, please report): "..err;
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
549 end
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
550 local function fire_event(name, data)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
551 return module:fire_event(name, data);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
552 end
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
553 return function (pass_return)
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
554 return chunk()(active_definitions, fire_event, logger(filename), module, pass_return); -- Returns event handler with upvalues
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
555 end
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
556 end
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
557
2366
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
558 local function resolve_script_path(script_path)
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
559 local relative_to = prosody.paths.config;
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
560 if script_path:match("^module:") then
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
561 relative_to = module.path:sub(1, -#("/mod_"..module.name..".lua"));
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
562 script_path = script_path:match("^module:(.+)$");
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
563 end
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
564 return resolve_relative_path(relative_to, script_path);
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
565 end
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
566
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
567 -- [filename] = { last_modified = ..., events_hooked = { [name] = handler } }
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
568 local loaded_scripts = {};
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
569
2574
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
570 function load_script(script)
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
571 script = resolve_script_path(script);
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
572 local last_modified = (lfs.attributes(script) or {}).modification or os.time();
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
573 if loaded_scripts[script] then
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
574 if loaded_scripts[script].last_modified == last_modified then
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
575 return; -- Already loaded, and source file hasn't changed
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
576 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
577 module:log("debug", "Reloading %s", script);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
578 -- Already loaded, but the source file has changed
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
579 -- unload it now, and we'll load the new version below
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
580 unload_script(script, true);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
581 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
582 local chain_functions, err = compile_firewall_rules(script);
2859
22e11645a895 mod_firewall: Trim trailing whitespace [luacheck]
Kim Alvefur <zash@zash.se>
parents: 2585
diff changeset
583
2574
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
584 if not chain_functions then
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
585 module:log("error", "Error compiling %s: %s", script, err or "unknown error");
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
586 return;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
587 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
588
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
589 -- Loop through the chains in the script, and for each chain attach the compiled code to the
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
590 -- relevant events, keeping track in events_hooked so we can cleanly unload later
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
591 local events_hooked = {};
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
592 for chain, handler_code in pairs(chain_functions) do
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
593 local new_handler, err = compile_handler(handler_code, "mod_firewall::"..chain);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
594 if not new_handler then
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
595 module:log("error", "Compilation error for %s: %s", script, err);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
596 else
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
597 local chain_definition = chains[chain];
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
598 if chain_definition and chain_definition.type == "event" then
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
599 local handler = new_handler(chain_definition.pass_return);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
600 for _, event_name in ipairs(chain_definition) do
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
601 events_hooked[event_name] = handler;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
602 module:hook(event_name, handler, chain_definition.priority);
2574
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
603 end
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
604 elseif not chain:sub(1, 5) == "user/" then
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
605 module:log("warn", "Unknown chain %q", chain);
2574
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
606 end
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
607 local event_name, handler = "firewall/chains/"..chain, new_handler(false);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
608 events_hooked[event_name] = handler;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
609 module:hook(event_name, handler);
2574
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
610 end
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
611 end
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
612 loaded_scripts[script] = { last_modified = last_modified, events_hooked = events_hooked };
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
613 module:log("debug", "Loaded %s", script);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
614 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
615
2580
aaff2716f022 mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents: 2579
diff changeset
616 --COMPAT w/0.9 (no module:unhook()!)
aaff2716f022 mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents: 2579
diff changeset
617 local function module_unhook(event, handler)
aaff2716f022 mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents: 2579
diff changeset
618 return module:unhook_object_event((hosts[module.host] or prosody).events, event, handler);
aaff2716f022 mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents: 2579
diff changeset
619 end
aaff2716f022 mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents: 2579
diff changeset
620
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
621 function unload_script(script, is_reload)
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
622 script = resolve_script_path(script);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
623 local script_info = loaded_scripts[script];
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
624 if not script_info then
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
625 return; -- Script not loaded
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
626 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
627 local events_hooked = script_info.events_hooked;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
628 for event_name, event_handler in pairs(events_hooked) do
2580
aaff2716f022 mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents: 2579
diff changeset
629 module_unhook(event_name, event_handler);
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
630 events_hooked[event_name] = nil;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
631 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
632 loaded_scripts[script] = nil;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
633 if not is_reload then
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
634 module:log("debug", "Unloaded %s", script);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
635 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
636 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
637
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
638 -- Given a set of scripts (e.g. from config) figure out which ones need to
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
639 -- be loaded, which are already loaded but need unloading, and which to reload
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
640 function load_unload_scripts(script_list)
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
641 local wanted_scripts = script_list / resolve_script_path;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
642 local currently_loaded = set.new(it.to_array(it.keys(loaded_scripts)));
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
643 local scripts_to_unload = currently_loaded - wanted_scripts;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
644 for script in wanted_scripts do
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
645 -- If the script is already loaded, this is fine - it will
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
646 -- reload the script for us if the file has changed
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
647 load_script(script);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
648 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
649 for script in scripts_to_unload do
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
650 unload_script(script);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
651 end
2574
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
652 end
f65c5927ee8e mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents: 2573
diff changeset
653
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
654 function module.load()
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
655 if not prosody.arg then return end -- Don't run in prosodyctl
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
656 local firewall_scripts = module:get_option_set("firewall_scripts", {});
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
657 load_unload_scripts(firewall_scripts);
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
658 -- Replace contents of definitions table (shared) with active definitions
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
659 for k in it.keys(definitions) do definitions[k] = nil; end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
660 for k,v in pairs(active_definitions) do definitions[k] = v; end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
661 end
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
662
2578
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
663 function module.save()
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
664 return { active_definitions = active_definitions, loaded_scripts = loaded_scripts };
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
665 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
666
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
667 function module.restore(state)
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
668 active_definitions = state.active_definitions;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
669 loaded_scripts = state.loaded_scripts;
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
670 end
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
671
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
672 module:hook_global("config-reloaded", function ()
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
673 load_unload_scripts(module:get_option_set("firewall_scripts", {}));
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
674 end);
6dbd07f9a868 mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents: 2574
diff changeset
675
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
676 function module.command(arg)
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
677 if not arg[1] or arg[1] == "--help" then
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
678 require"util.prosodyctl".show_usage([[mod_firewall <firewall.pfw>]], [[Compile files with firewall rules to Lua code]]);
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
679 return 1;
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
680 end
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
681 local verbose = arg[1] == "-v";
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
682 if verbose then table.remove(arg, 1); end
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
683
2585
02c6ae745c4f mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents: 2584
diff changeset
684 if arg[1] == "test" then
02c6ae745c4f mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents: 2584
diff changeset
685 table.remove(arg, 1);
02c6ae745c4f mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents: 2584
diff changeset
686 return module:require("test")(arg);
02c6ae745c4f mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents: 2584
diff changeset
687 end
02c6ae745c4f mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents: 2584
diff changeset
688
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
689 local serialize = require "util.serialization".serialize;
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
690 if verbose then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
691 print("local logger = require \"util.logger\".init;");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
692 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
693 print("local function fire_event(name, data)\n\tmodule:fire_event(name, data)\nend");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
694 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
695 end
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
696
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
697 for _, filename in ipairs(arg) do
2366
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
698 filename = resolve_script_path(filename);
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
699 print("do -- File "..filename);
2365
05dae9adf778 mod_firewall: Fix for when compiling on the command line and specifying multiple files
Matthew Wild <mwild1@gmail.com>
parents: 2364
diff changeset
700 local chain_functions = assert(compile_firewall_rules(filename));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
701 if verbose then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
702 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
703 print("local active_definitions = "..serialize(active_definitions)..";");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
704 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
705 end
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
706 local c = 0;
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
707 for chain, handler_code in pairs(chain_functions) do
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
708 c = c + 1;
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
709 print("---- Chain "..chain:gsub("_", " "));
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
710 local chain_func_name = "chain_"..tostring(c).."_"..chain:gsub("%p", "_");
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
711 if not verbose then
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
712 print(("%s = %s;"):format(chain_func_name, handler_code:sub(8)));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
713 else
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
714
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
715 print(("local %s = (%s)(active_definitions, fire_event, logger(%q));"):format(chain_func_name, handler_code:sub(8), filename));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
716 print();
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
717
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
718 local chain_definition = chains[chain];
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
719 if chain_definition and chain_definition.type == "event" then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
720 for _, event_name in ipairs(chain_definition) do
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
721 print(("module:hook(%q, %s, %d);"):format(event_name, chain_func_name, chain_definition.priority or 0));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
722 end
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
723 end
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
724 print(("module:hook(%q, %s, %d);"):format("firewall/chains/"..chain, chain_func_name, chain_definition.priority or 0));
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
725 end
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
726
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
727 print("---- End of chain "..chain);
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
728 print();
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
729 end
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
730 print("end -- End of file "..filename);
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
731 end
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
732 end