Software /
code /
prosody-modules
Annotate
mod_firewall/conditions.lib.lua @ 3503:882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
This deprecates the default "superuser" actor model and makes the
default equivalent to the previous "request.id".
A single actor and secret per node is supported because HTTP and
WebHooks don't normally include any authorization identity.
Allowing authentication bypass when no secret is given should be
relatively safe when the actor is unprivileged, as will be unless
explicitly configured otherwise.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 30 Mar 2019 21:16:13 +0100 |
parent | 2928:b0d92332b87f |
child | 3973:df6227e288e5 |
rev | line source |
---|---|
2125
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2119
diff
changeset
|
1 --luacheck: globals meta idsafe |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local condition_handlers = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local jid = require "util.jid"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
6 -- Helper to convert user-input strings (yes/true//no/false) to a bool |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
7 local function string_to_boolean(s) |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
8 s = s:lower(); |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
9 return s == "yes" or s == "true"; |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
10 end |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
11 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 -- Return a code string for a condition that checks whether the contents |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 -- of variable with the name 'name' matches any of the values in the |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 -- comma/space/pipe delimited list 'values'. |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local function compile_comparison_list(name, values) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local conditions = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 for value in values:gmatch("[^%s,|]+") do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 table.insert(conditions, ("%s == %q"):format(name, value)); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 return table.concat(conditions, " or "); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 function condition_handlers.KIND(kind) |
2582
ac3140cd89a2
mod_firewall: Fix compilation error if TYPE/KIND had no parameter
Matthew Wild <mwild1@gmail.com>
parents:
2577
diff
changeset
|
24 assert(kind, "Expected stanza kind to match against"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 return compile_comparison_list("name", kind), { "name" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 local wildcard_equivs = { ["*"] = ".*", ["?"] = "." }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 local function compile_jid_match_part(part, match) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 if not match then |
2071
4161ff87e5a4
mod_firewall/conditions: Add semicolon
Kim Alvefur <zash@zash.se>
parents:
2070
diff
changeset
|
32 return part.." == nil"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 end |
2072
eda5c54dfa30
mod_firewall: Anchor pattern at beginning and end
Kim Alvefur <zash@zash.se>
parents:
2071
diff
changeset
|
34 local pattern = match:match("^<(.*)>$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 if pattern then |
962
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
36 if pattern == "*" then |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
37 return part; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 end |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
2036
diff
changeset
|
39 if pattern:find("^<.*>$") then |
962
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
40 pattern = pattern:match("^<(.*)>$"); |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
41 else |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
42 pattern = pattern:gsub("%p", "%%%0"):gsub("%%(%p)", wildcard_equivs); |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
43 end |
2074
86427261e3c4
mod_firewall: Use string.find in JID match, faster since the result is unused
Kim Alvefur <zash@zash.se>
parents:
2073
diff
changeset
|
44 return ("(%s and %s:find(%q))"):format(part, part, "^"..pattern.."$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 else |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 return ("%s == %q"):format(part, match); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 local function compile_jid_match(which, match_jid) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 local match_node, match_host, match_resource = jid.split(match_jid); |
963
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
52 local conditions = {}; |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
53 conditions[#conditions+1] = compile_jid_match_part(which.."_node", match_node); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
54 conditions[#conditions+1] = compile_jid_match_part(which.."_host", match_host); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
55 if match_resource then |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
56 conditions[#conditions+1] = compile_jid_match_part(which.."_resource", match_resource); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
57 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 return table.concat(conditions, " and "); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 function condition_handlers.TO(to) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 return compile_jid_match("to", to), { "split_to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 function condition_handlers.FROM(from) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 return compile_jid_match("from", from), { "split_from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 |
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
69 function condition_handlers.FROM_EXACTLY(from) |
2552
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
70 local metadeps = {}; |
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
71 return ("from == %s"):format(metaq(from, metadeps)), { "from", unpack(metadeps) }; |
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
72 end |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
73 |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
74 function condition_handlers.TO_EXACTLY(to) |
2552
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
75 local metadeps = {}; |
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
76 return ("to == %s"):format(metaq(to, metadeps)), { "to", unpack(metadeps) }; |
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
77 end |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
78 |
2465
bd69ffe071e6
mod_firewall: Add 'TO SELF' check ('NOT TO?' worked until commit 9159f9166893)
Matthew Wild <mwild1@gmail.com>
parents:
2403
diff
changeset
|
79 function condition_handlers.TO_SELF() |
2563
2f1e25706f81
mod_firewall: TO SELF: Use raw stanza.attr.to directly, as 'to' defaults to bare JID if nil
Matthew Wild <mwild1@gmail.com>
parents:
2555
diff
changeset
|
80 -- Intentionally not using 'to' here, as that defaults to bare JID when nil |
2f1e25706f81
mod_firewall: TO SELF: Use raw stanza.attr.to directly, as 'to' defaults to bare JID if nil
Matthew Wild <mwild1@gmail.com>
parents:
2555
diff
changeset
|
81 return ("stanza.attr.to == nil"); |
2465
bd69ffe071e6
mod_firewall: Add 'TO SELF' check ('NOT TO?' worked until commit 9159f9166893)
Matthew Wild <mwild1@gmail.com>
parents:
2403
diff
changeset
|
82 end |
bd69ffe071e6
mod_firewall: Add 'TO SELF' check ('NOT TO?' worked until commit 9159f9166893)
Matthew Wild <mwild1@gmail.com>
parents:
2403
diff
changeset
|
83 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 function condition_handlers.TYPE(type) |
2582
ac3140cd89a2
mod_firewall: Fix compilation error if TYPE/KIND had no parameter
Matthew Wild <mwild1@gmail.com>
parents:
2577
diff
changeset
|
85 assert(type, "Expected 'type' value to match against"); |
979
cec42f884475
mod_firewall: The default value of the 'type' attribute on message stanzas is 'normal'
Kim Alvefur <zash@zash.se>
parents:
971
diff
changeset
|
86 return compile_comparison_list("(type or (name == 'message' and 'normal') or (name == 'presence' and 'available'))", type), { "type", "name" }; |
964
04e85eb3dfef
mod_firewall/conditions: Default types for message and presence
Matthew Wild <mwild1@gmail.com>
parents:
963
diff
changeset
|
87 end |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
88 |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
89 local function zone_check(zone, which) |
2928
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
90 local zone_var = zone; |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
91 if zone == "$local" then zone_var = "_local" end |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
92 local which_not = which == "from" and "to" or "from"; |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
93 return ("(zone_%s[%s_host] or zone_%s[%s] or zone_%s[bare_%s]) " |
2119
5f6c18fd0161
mod_firewall: Correct zone condition to check bare JID
Kim Alvefur <zash@zash.se>
parents:
2116
diff
changeset
|
94 .."and not(zone_%s[%s_host] or zone_%s[%s] or zone_%s[bare_%s])" |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
95 ) |
2928
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
96 :format(zone_var, which, zone_var, which, zone_var, which, |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
97 zone_var, which_not, zone_var, which_not, zone_var, which_not), { |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
98 "split_to", "split_from", "bare_to", "bare_from", "zone:"..zone |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
99 }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
100 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 function condition_handlers.ENTERING(zone) |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
103 return zone_check(zone, "to"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
104 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
105 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
106 function condition_handlers.LEAVING(zone) |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
107 return zone_check(zone, "from"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
108 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 |
2537
acdc1767a715
mod_firewall: Make parameter to 'IN ROSTER' optional
Matthew Wild <mwild1@gmail.com>
parents:
2534
diff
changeset
|
110 -- IN ROSTER? (parameter is deprecated) |
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
111 function condition_handlers.IN_ROSTER(yes_no) |
2537
acdc1767a715
mod_firewall: Make parameter to 'IN ROSTER' optional
Matthew Wild <mwild1@gmail.com>
parents:
2534
diff
changeset
|
112 local in_roster_requirement = string_to_boolean(yes_no or "yes"); -- COMPAT w/ older scripts |
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
113 return "not "..(in_roster_requirement and "not" or "").." roster_entry", { "roster_entry" }; |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
114 end |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
115 |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
116 function condition_handlers.IN_ROSTER_GROUP(group) |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
117 return ("not not (roster_entry and roster_entry.groups[%q])"):format(group), { "roster_entry" }; |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
118 end |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
119 |
2403
f96bdfd81eba
mod_firewall: SUBSCRIBED - condition that is true if the receiver of a stanza is subscribed to the sender
Kim Alvefur <zash@zash.se>
parents:
2386
diff
changeset
|
120 function condition_handlers.SUBSCRIBED() |
2857
ff1666716d10
mod_firewall: Make SUBSCRIBED match for stanzas sent to self (fixes #1052)
Kim Alvefur <zash@zash.se>
parents:
2618
diff
changeset
|
121 return "(bare_to == bare_from or to_node and rostermanager.is_contact_subscribed(to_node, to_host, bare_from))", |
ff1666716d10
mod_firewall: Make SUBSCRIBED match for stanzas sent to self (fixes #1052)
Kim Alvefur <zash@zash.se>
parents:
2618
diff
changeset
|
122 { "rostermanager", "split_to", "bare_to", "bare_from" }; |
2403
f96bdfd81eba
mod_firewall: SUBSCRIBED - condition that is true if the receiver of a stanza is subscribed to the sender
Kim Alvefur <zash@zash.se>
parents:
2386
diff
changeset
|
123 end |
f96bdfd81eba
mod_firewall: SUBSCRIBED - condition that is true if the receiver of a stanza is subscribed to the sender
Kim Alvefur <zash@zash.se>
parents:
2386
diff
changeset
|
124 |
2916
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
125 function condition_handlers.PENDING_SUBSCRIPTION_FROM_SENDER() |
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
126 return "(bare_to == bare_from or to_node and rostermanager.is_contact_pending_in(to_node, to_host, bare_from))", |
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
127 { "rostermanager", "split_to", "bare_to", "bare_from" }; |
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
128 end |
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
129 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
130 function condition_handlers.PAYLOAD(payload_ns) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 return ("stanza:get_child(nil, %q)"):format(payload_ns); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 |
954
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
134 function condition_handlers.INSPECT(path) |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
135 if path:find("=") then |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
136 local query, match_type, value = path:match("(.-)([~/$]*)=(.*)"); |
2362
c065ab67d807
mod_firewall: INSPECT: Emit compilation error when the given stanza path is used for comparison but doesn't return a string
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
137 if not(query:match("#$") or query:match("@[^/]+")) then |
c065ab67d807
mod_firewall: INSPECT: Emit compilation error when the given stanza path is used for comparison but doesn't return a string
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
138 error("Stanza path does not return a string (append # for text content or @name for value of named attribute)", 0); |
c065ab67d807
mod_firewall: INSPECT: Emit compilation error when the given stanza path is used for comparison but doesn't return a string
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
139 end |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
140 local meta_deps = {}; |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
141 local quoted_value = ("%q"):format(value); |
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
142 if match_type:find("$", 1, true) then |
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
143 match_type = match_type:gsub("%$", ""); |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
144 quoted_value = meta(quoted_value, meta_deps); |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
145 end |
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
146 if match_type == "~" then -- Lua pattern match |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
147 return ("(stanza:find(%q) or ''):match(%s)"):format(query, quoted_value), meta_deps; |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
148 elseif match_type == "/" then -- find literal substring |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
149 return ("(stanza:find(%q) or ''):find(%s, 1, true)"):format(query, quoted_value), meta_deps; |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
150 elseif match_type == "" then -- exact match |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
151 return ("stanza:find(%q) == %s"):format(query, quoted_value), meta_deps; |
2109
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2107
diff
changeset
|
152 else |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
153 error("Unrecognised comparison '"..match_type.."='", 0); |
2109
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2107
diff
changeset
|
154 end |
954
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
155 end |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
156 return ("stanza:find(%q)"):format(path); |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
157 end |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
158 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
159 function condition_handlers.FROM_GROUP(group_name) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
160 return ("group_contains(%q, bare_from)"):format(group_name), { "group_contains", "bare_from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
161 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
162 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
163 function condition_handlers.TO_GROUP(group_name) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
164 return ("group_contains(%q, bare_to)"):format(group_name), { "group_contains", "bare_to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
166 |
2594
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
167 function condition_handlers.CROSSING_GROUPS(group_names) |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
168 local code = {}; |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
169 for group_name in group_names:gmatch("([^, ][^,]+)") do |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
170 group_name = group_name:match("^%s*(.-)%s*$"); -- Trim leading/trailing whitespace |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
171 -- Just check that's it is crossing from outside group to inside group |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
172 table.insert(code, ("(group_contains(%q, bare_to) and group_contains(%q, bare_from))"):format(group_name, group_name)) |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
173 end |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
174 return "not "..table.concat(code, " or "), { "group_contains", "bare_to", "bare_from" }; |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
175 end |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
176 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
177 function condition_handlers.FROM_ADMIN_OF(host) |
2577
00cef058df8d
mod_firewall: TO/FROM ADMIN OF: Fix string quoting
Matthew Wild <mwild1@gmail.com>
parents:
2575
diff
changeset
|
178 return ("is_admin(bare_from, %s)"):format(host ~= "*" and metaq(host) or nil), { "is_admin", "bare_from" }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
179 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
180 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
181 function condition_handlers.TO_ADMIN_OF(host) |
2577
00cef058df8d
mod_firewall: TO/FROM ADMIN OF: Fix string quoting
Matthew Wild <mwild1@gmail.com>
parents:
2575
diff
changeset
|
182 return ("is_admin(bare_to, %s)"):format(host ~= "*" and metaq(host) or nil), { "is_admin", "bare_to" }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
183 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
184 |
2553
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
185 function condition_handlers.FROM_ADMIN() |
2575
214b49d05ea1
mod_firewall: Fix TO/FROM ADMIN to use current (module) host
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
186 return ("is_admin(bare_from, current_host)"), { "is_admin", "bare_from", "current_host" }; |
2553
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
187 end |
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
188 |
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
189 function condition_handlers.TO_ADMIN() |
2575
214b49d05ea1
mod_firewall: Fix TO/FROM ADMIN to use current (module) host
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
190 return ("is_admin(bare_to, current_host)"), { "is_admin", "bare_to", "current_host" }; |
2553
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
191 end |
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
192 |
968
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
193 local day_numbers = { sun = 0, mon = 2, tue = 3, wed = 4, thu = 5, fri = 6, sat = 7 }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
194 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
195 local function current_time_check(op, hour, minute) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
196 hour, minute = tonumber(hour), tonumber(minute); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
197 local adj_op = op == "<" and "<" or ">="; -- Start time inclusive, end time exclusive |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
198 if minute == 0 then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
199 return "(current_hour"..adj_op..hour..")"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
200 else |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
201 return "((current_hour"..op..hour..") or (current_hour == "..hour.." and current_minute"..adj_op..minute.."))"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
202 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
203 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
204 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
205 local function resolve_day_number(day_name) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
206 return assert(day_numbers[day_name:sub(1,3):lower()], "Unknown day name: "..day_name); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
207 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
208 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
209 function condition_handlers.DAY(days) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
210 local conditions = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
211 for day_range in days:gmatch("[^,]+") do |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
212 local day_start, day_end = day_range:match("(%a+)%s*%-%s*(%a+)"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
213 if day_start and day_end then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
214 local day_start_num, day_end_num = resolve_day_number(day_start), resolve_day_number(day_end); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
215 local op = "and"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
216 if day_end_num < day_start_num then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
217 op = "or"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
218 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
219 table.insert(conditions, ("current_day >= %d %s current_day <= %d"):format(day_start_num, op, day_end_num)); |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
2036
diff
changeset
|
220 elseif day_range:find("%a") then |
968
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
221 local day = resolve_day_number(day_range:match("%a+")); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
222 table.insert(conditions, "current_day == "..day); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
223 else |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
224 error("Unable to parse day/day range: "..day_range); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
225 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
226 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
227 assert(#conditions>0, "Expected a list of days or day ranges"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
228 return "("..table.concat(conditions, ") or (")..")", { "time:day" }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
229 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
230 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
231 function condition_handlers.TIME(ranges) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
232 local conditions = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
233 for range in ranges:gmatch("([^,]+)") do |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
234 local clause = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
235 range = range:lower() |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
236 :gsub("(%d+):?(%d*) *am", function (h, m) return tostring(tonumber(h)%12)..":"..(tonumber(m) or "00"); end) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
237 :gsub("(%d+):?(%d*) *pm", function (h, m) return tostring(tonumber(h)%12+12)..":"..(tonumber(m) or "00"); end); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
238 local start_hour, start_minute = range:match("(%d+):(%d+) *%-"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
239 local end_hour, end_minute = range:match("%- *(%d+):(%d+)"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
240 local op = tonumber(start_hour) > tonumber(end_hour) and " or " or " and "; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
241 if start_hour and end_hour then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
242 table.insert(clause, current_time_check(">", start_hour, start_minute)); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
243 table.insert(clause, current_time_check("<", end_hour, end_minute)); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
244 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
245 if #clause == 0 then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
246 error("Unable to parse time range: "..range); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
247 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
248 table.insert(conditions, "("..table.concat(clause, " "..op.." ")..")"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
249 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
250 return table.concat(conditions, " or "), { "time:hour,min" }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
251 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
252 |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
253 function condition_handlers.LIMIT(spec) |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
254 local name, param = spec:match("^(%w+) on (.+)$"); |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
255 local meta_deps = {}; |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
256 |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
257 if not name then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
258 name = spec:match("^%w+$"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
259 if not name then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
260 error("Unable to parse LIMIT specification"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
261 end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
262 else |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
263 param = meta(("%q"):format(param), meta_deps); |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
264 end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
265 |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
266 if not param then |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
267 return ("not global_throttle_%s:poll(1)"):format(name), { "globalthrottle:"..name, unpack(meta_deps) }; |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
268 end |
2859
22e11645a895
mod_firewall: Trim trailing whitespace [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2857
diff
changeset
|
269 return ("not multi_throttle_%s:poll_on(%s, 1)"):format(name, param), { "multithrottle:"..name, unpack(meta_deps) }; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
968
diff
changeset
|
270 end |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
968
diff
changeset
|
271 |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
272 function condition_handlers.ORIGIN_MARKED(name_and_time) |
2127
59023dffbdd4
mod_firewall: Allow underscore in mark names (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2125
diff
changeset
|
273 local name, time = name_and_time:match("^%s*([%w_]+)%s+%(([^)]+)s%)%s*$"); |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
274 if not name then |
2127
59023dffbdd4
mod_firewall: Allow underscore in mark names (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2125
diff
changeset
|
275 name = name_and_time:match("^%s*([%w_]+)%s*$"); |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
276 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
277 if not name then |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
278 error("Error parsing mark name, see documentation for usage examples"); |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
279 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
280 if time then |
2116
2bb42ba342f3
mod_firewall: Fix usage of incorrect variable current_time in ORIGIN_MARKED condition (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2109
diff
changeset
|
281 return ("(current_timestamp - (session.firewall_marked_%s or 0)) < %d"):format(idsafe(name), tonumber(time)), { "timestamp" }; |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
282 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
283 return ("not not session.firewall_marked_"..idsafe(name)); |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
284 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
285 |
2894
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
286 function condition_handlers.USER_MARKED(name_and_time) |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
287 local name, time = name_and_time:match("^%s*([%w_]+)%s+%(([^)]+)s%)%s*$"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
288 if not name then |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
289 name = name_and_time:match("^%s*([%w_]+)%s*$"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
290 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
291 if not name then |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
292 error("Error parsing mark name, see documentation for usage examples"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
293 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
294 if time then |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
295 return ("(current_timestamp - (session.firewall_marks and session.firewall_marks.%s or 0)) < %d"):format(idsafe(name), tonumber(time)), { "timestamp" }; |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
296 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
297 return ("not not (session.firewall_marks and session.firewall_marks."..idsafe(name)..")"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
298 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
299 |
2554
19bb4606013f
mod_firewall: Fix everything wrong with SENT_DIRECTED_PRESENCE_TO_SENDER
Matthew Wild <mwild1@gmail.com>
parents:
2553
diff
changeset
|
300 function condition_handlers.SENT_DIRECTED_PRESENCE_TO_SENDER() |
2882
6f289283feb1
mod_firewall: Prevent traceback if no directed presence has been sent (fixes #1081)
Kim Alvefur <zash@zash.se>
parents:
2859
diff
changeset
|
301 return "not not (session.directed and session.directed[from])", { "from" }; |
2529
3fe4ca2b55c2
mod_firewall: Add 'SENT DIRECTED PRESENCE TO SENDER?'
Matthew Wild <mwild1@gmail.com>
parents:
2528
diff
changeset
|
302 end |
3fe4ca2b55c2
mod_firewall: Add 'SENT DIRECTED PRESENCE TO SENDER?'
Matthew Wild <mwild1@gmail.com>
parents:
2528
diff
changeset
|
303 |
2618
c6652d055ba3
mod_firewall: Add some more comments
Matthew Wild <mwild1@gmail.com>
parents:
2594
diff
changeset
|
304 -- TO FULL JID? |
2555
a9eb4d5566f3
mod_firewall: Add TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
305 function condition_handlers.TO_FULL_JID() |
a9eb4d5566f3
mod_firewall: Add TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
306 return "not not full_sessions[to]", { "to" }; |
a9eb4d5566f3
mod_firewall: Add TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
307 end |
a9eb4d5566f3
mod_firewall: Add TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
308 |
2520
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
309 -- CHECK LIST: spammers contains $<@from> |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
310 function condition_handlers.CHECK_LIST(list_condition) |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
311 local list_name, expr = list_condition:match("(%S+) contains (.+)$"); |
2521
66b81e144ded
mod_firewall: Fix CHECK LIST syntax check
Matthew Wild <mwild1@gmail.com>
parents:
2520
diff
changeset
|
312 if not (list_name and expr) then |
2520
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
313 error("Error parsing list check, syntax: LISTNAME contains EXPRESSION"); |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
314 end |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
315 local meta_deps = {}; |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
316 expr = meta(("%q"):format(expr), meta_deps); |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
317 return ("list_%s:contains(%s) == true"):format(list_name, expr), { "list:"..list_name, unpack(meta_deps) }; |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
318 end |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
319 |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
320 -- SCAN: body for word in badwords |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
321 function condition_handlers.SCAN(scan_expression) |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
322 local search_name, pattern_name, list_name = scan_expression:match("(%S+) for (%S+) in (%S+)$"); |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
323 if not (search_name) then |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
324 error("Error parsing SCAN expression, syntax: SEARCH for PATTERN in LIST"); |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
325 end |
2584
d64fc9c3cffd
mod_firewall: Remove ambiguity from tokens dep parameter
Matthew Wild <mwild1@gmail.com>
parents:
2582
diff
changeset
|
326 return ("scan_list(list_%s, %s)"):format(list_name, "tokens_"..search_name.."_"..pattern_name), { "scan_list", "tokens:"..search_name.."-"..pattern_name, "list:"..list_name }; |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
327 end |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
328 |
2618
c6652d055ba3
mod_firewall: Add some more comments
Matthew Wild <mwild1@gmail.com>
parents:
2594
diff
changeset
|
329 -- COUNT: lines in body < 10 |
2545
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
330 local valid_comp_ops = { [">"] = ">", ["<"] = "<", ["="] = "==", ["=="] = "==", ["<="] = "<=", [">="] = ">=" }; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
331 function condition_handlers.COUNT(count_expression) |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
332 local pattern_name, search_name, comparator_expression = count_expression:match("(%S+) in (%S+) (.+)$"); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
333 if not (pattern_name) then |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
334 error("Error parsing COUNT expression, syntax: PATTERN in SEARCH COMPARATOR"); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
335 end |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
336 local value; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
337 comparator_expression = comparator_expression:gsub("%d+", function (value_string) |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
338 value = tonumber(value_string); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
339 return ""; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
340 end); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
341 if not value then |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
342 error("Error parsing COUNT expression, expected value"); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
343 end |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
344 local comp_op = comparator_expression:gsub("%s+", ""); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
345 assert(valid_comp_ops[comp_op], "Error parsing COUNT expression, unknown comparison operator: "..comp_op); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
346 return ("it_count(search_%s:gmatch(pattern_%s)) %s %d"):format(search_name, pattern_name, comp_op, value), { "it_count", "search:"..search_name, "pattern:"..pattern_name }; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
347 end |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
348 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
349 return condition_handlers; |