Software / code / prosody-modules
Annotate
mod_firewall/definitions.lib.lua @ 2494:d300ae5dba87
mod_smacks: Fix some bugs with smacks-ack-delayed event triggering.
The old code had several flaws which are addressed here.
First of all this fixes the if statement guarding the event generation
There where some timing glitches addressed by this commit as well.
| author | tmolitor <thilo@eightysoft.de> |
|---|---|
| date | Sun, 12 Feb 2017 21:23:22 +0100 |
| parent | 2370:5fe483b73fd2 |
| child | 2520:c6fd8975704b |
| rev | line source |
|---|---|
|
2079
edec9de0220a
mod_firewall: Silence warnings about unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1863
diff
changeset
|
1 |
|
edec9de0220a
mod_firewall: Silence warnings about unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1863
diff
changeset
|
2 -- Name arguments are unused here |
|
edec9de0220a
mod_firewall: Silence warnings about unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1863
diff
changeset
|
3 -- luacheck: ignore 212 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local definition_handlers = {}; |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
|
1863
92602cfac751
mod_firewall: Fix missing import of util.set (used to be global)
Kim Alvefur <zash@zash.se>
parents:
999
diff
changeset
|
7 local set = require"util.set"; |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 local new_throttle = require "util.throttle".create; |
|
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
9 |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
10 local multirate_cache_size = module:get_option_number("firewall_multirate_cache_limit", 1000); |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 function definition_handlers.ZONE(zone_name, zone_members) |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local zone_member_list = {}; |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 for member in zone_members:gmatch("[^, ]+") do |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 zone_member_list[#zone_member_list+1] = member; |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 end |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 return set.new(zone_member_list)._items; |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 end |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
|
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
20 -- Helper function used by RATE handler |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
21 local function evict_only_unthrottled(name, throttle) |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
22 throttle:update(); |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
23 -- Check whether the throttle is at max balance (i.e. totally safe to forget about it) |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
24 if throttle.balance < throttle.max then |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
25 -- Not safe to forget |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
26 return false; |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
27 end |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
28 end |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
29 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 function definition_handlers.RATE(name, line) |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 local rate = assert(tonumber(line:match("([%d.]+)")), "Unable to parse rate"); |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 local burst = tonumber(line:match("%(%s*burst%s+([%d.]+)%s*%)")) or 1; |
|
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
33 local max_throttles = tonumber(line:match("%(%s*entries%s+([%d]+)%s*%)")) or multirate_cache_size; |
|
2370
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
34 local deny_when_full = not line:match("%(allow overflow%)"); |
|
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
35 return { |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
36 single = function () |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
37 return new_throttle(rate*burst, burst); |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
38 end; |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
39 |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
40 multi = function () |
|
2370
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
41 local cache = require "util.cache".new(max_throttles, deny_when_full and evict_only_unthrottled or nil); |
|
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
42 return { |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
43 poll_on = function (_, key, amount) |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
44 assert(key, "no key"); |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
45 local throttle = cache:get(key); |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
46 if not throttle then |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
47 throttle = new_throttle(rate*burst, burst); |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
48 if not cache:set(key, throttle) then |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
49 module:log("warn", "Multirate '%s' has hit its maximum number of active throttles (%d), denying new events", name, max_throttles); |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
50 return false; |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
51 end |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
52 end |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
53 return throttle:poll(amount); |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
54 end; |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
55 } |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
56 end; |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
57 }; |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 end |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 return definition_handlers; |
|
2131
ba42c8882026
mod_firewall: Fix another unprotected use of util.cache
Matthew Wild <mwild1@gmail.com>
parents:
2130
diff
changeset
|
61 |
