Software / code / prosody-modules
Annotate
mod_firewall/README.markdown @ 5939:db5128d1a16c
mod_report_forward: Fix traceback when reporting a specific message (thanks singpolyma)
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 30 May 2024 17:55:07 +0100 |
| parent | 5862:1ae8f7b3787a |
| rev | line source |
|---|---|
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
1 --- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
2 labels: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
3 - 'Stage-Alpha' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
4 summary: 'A rule-based stanza filtering module' |
|
4169
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
5 rockspec: |
|
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
6 build: |
|
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
7 modules: |
|
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
8 mod_firewall.actions: actions.lib.lua |
|
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
9 mod_firewall.conditions: conditions.lib.lua |
|
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
10 mod_firewall.definitions: definitions.lib.lua |
|
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
11 mod_firewall.marks: marks.lib.lua |
|
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
12 mod_firewall.test: test.lib.lua |
|
5522
e8f46195b292
mod_firewall: Include scripts with plugin installer (thanks gooya)
Kim Alvefur <zash@zash.se>
parents:
5235
diff
changeset
|
13 copy_directories: |
|
e8f46195b292
mod_firewall: Include scripts with plugin installer (thanks gooya)
Kim Alvefur <zash@zash.se>
parents:
5235
diff
changeset
|
14 - scripts |
|
4169
ae738969f38a
mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents:
4152
diff
changeset
|
15 --- |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
16 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
17 ------------------------------------------------------------------------ |
| 1782 | 18 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
19 **Note:** mod\_firewall is in its very early stages. This documentation |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
20 is liable to change, and some described functionality may be missing, |
|
2375
7ad312b4cefe
mod_firewall/README: Remove mention of comments section from google code
Kim Alvefur <zash@zash.se>
parents:
2370
diff
changeset
|
21 incomplete or contain bugs. |
| 1782 | 22 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
23 ------------------------------------------------------------------------ |
| 1782 | 24 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
25 Introduction |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
26 ============ |
| 1782 | 27 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
28 A firewall is an invaluable tool in the sysadmin's toolbox. However |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
29 while low-level firewalls such as iptables and pf are incredibly good at |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
30 what they do, they are generally not able to handle application-layer |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
31 rules. |
| 1782 | 32 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
33 The goal of mod\_firewall is to provide similar services at the XMPP |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
34 layer. Based on rule scripts it can efficiently block, bounce, drop, |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
35 forward, copy, redirect stanzas and more! Furthermore all rules can be |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
36 applied and updated dynamically at runtime without restarting the |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
37 server. |
| 1782 | 38 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
39 Details |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
40 ======= |
| 1782 | 41 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
42 mod\_firewall loads one or more scripts, and compiles these to Lua code |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
43 that reacts to stanzas flowing through Prosody. The firewall script |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
44 syntax is unusual, but straightforward. |
| 1782 | 45 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
46 A firewall script is dominated by rules. Each rule has two parts: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
47 conditions, and actions. When a stanza matches all of the conditions, |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
48 all of the actions are executed in order. |
| 1782 | 49 |
| 50 Here is a simple example to block stanzas from spammer@example.com: | |
| 51 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
52 FROM: spammer@example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
53 DROP. |
| 1782 | 54 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
55 FROM is a condition, and DROP is an action. This is about as simple as |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
56 it gets. How about heading to the other extreme? Let's demonstrate |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
57 something more complex that mod\_firewall can do for you: |
| 1782 | 58 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
59 %ZONE myorganisation: staff.myorg.example, support.myorg.example |
| 1782 | 60 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
61 ENTERING: myorganisation |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
62 KIND: message |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
63 TIME: 12am-9am, 5pm-12am, Saturday, Sunday |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
64 REPLY=Sorry, I am afraid our office is closed at the moment. If you need assistance, please call our 24-hour support line on 123-456-789. |
| 1782 | 65 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
66 This rule will reply with a short message whenever someone tries to send |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
67 a message to someone at any of the hosts defined in the 'myorganisation' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
68 outside of office hours. |
| 1782 | 69 |
|
2387
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
70 Specifying rule sets |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
71 -------------------- |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
72 |
|
2387
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
73 Firewall rules should be written into text files, e.g. `ruleset.pfw` file. |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
74 One or more rule files can be specified in the configuration using: |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
75 |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
76 firewall_scripts = { "path/to/ruleset.pfw", "path/to/ruleset2.pfw" } |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
77 |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
78 If multiple files are specified and they both add rules to the same [chains](#chains), |
|
2387
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
79 each file's rules will be processed in order, but the order of files is undefined. |
| 1782 | 80 |
|
4152
87daef9ed4e7
Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents:
4127
diff
changeset
|
81 Reloading Prosody's configuration also reloads firewall rules. |
|
87daef9ed4e7
Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents:
4127
diff
changeset
|
82 |
|
87daef9ed4e7
Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents:
4127
diff
changeset
|
83 Make sure that `firewall_scripts` is in the global section of the configuration file |
|
87daef9ed4e7
Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents:
4127
diff
changeset
|
84 and not below a virtual host or a component - unless you want per-vhost |
|
87daef9ed4e7
Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents:
4127
diff
changeset
|
85 firewall rules. |
|
87daef9ed4e7
Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents:
4127
diff
changeset
|
86 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
87 Conditions |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
88 ---------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
89 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
90 All conditions must come before any action in a rule block. The |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
91 condition name is followed by a colon (':'), and the value to test for. |
| 1782 | 92 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
93 A condition can be preceded or followed by `NOT` to negate its match. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
94 For example: |
| 1782 | 95 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
96 NOT FROM: user@example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
97 KIND NOT: message |
| 1782 | 98 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
99 Some conditions do not take parameters, and these should end with just a |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
100 question mark, like: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
101 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
102 IN ROSTER? |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
103 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
104 ### Zones |
| 1782 | 105 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
106 A 'zone' is one or more hosts or JIDs. It is possible to match when a |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
107 stanza is entering or leaving a zone, while at the same time not |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
108 matching traffic passing between JIDs in the same zone. |
| 1782 | 109 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
110 Zones are defined at the top of a script with the following syntax (they |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
111 are not part of a rule block): |
| 1782 | 112 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
113 %ZONE myzone: host1, host2, user@host3, foo.bar.example |
| 1782 | 114 |
|
2388
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
115 There is an automatic zone named `$local`, which automatically includes |
|
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
116 all of the current server's active hosts (including components). It can |
|
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
117 be used to match stanzas entering or leaving the current server. |
|
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
118 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
119 A host listed in a zone also matches all users on that host (but not |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
120 subdomains). |
| 1782 | 121 |
| 122 The following zone-matching conditions are supported: | |
| 123 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
124 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
125 ------------ ------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
126 `ENTERING` When a stanza is entering the named zone |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
127 `LEAVING` When a stanza is leaving the named zone |
| 1782 | 128 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
129 ### Lists |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
130 |
|
4583
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
131 It is possible to create or load lists of strings for use in scripts. For |
|
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
132 example, you might load a list of blocked JIDs, malware URLs or simple words |
|
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
133 that you want to filter messages on. |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
134 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
135 List type Example |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
136 ----------- ----------------------- |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
137 memory %LIST spammers: memory |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
138 file %LIST spammers: file:/etc/spammers.txt |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
139 http %LIST spammers: http://example.com/spammers.txt |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
140 |
|
4126
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
141 #### List types |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
142 ##### memory |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
143 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
144 ``` |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
145 %LIST name: memory (limit: number) |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
146 ``` |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
147 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
148 A memory-only list, with an optional limit. Supports addition and removal of items by scripts. |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
149 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
150 If a limit is provided, the oldest item will be discarded to make room for a new item if the |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
151 list is full. The limit is useful to prevent infinite memory growth on busy servers. |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
152 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
153 ##### file |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
154 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
155 ``` |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
156 %LIST name: file:/path/to/file (missing: string) |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
157 ``` |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
158 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
159 Reads a list from a file. The list can be added to and removed from by scripts, but |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
160 these changes do not persist between restarts. |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
161 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
162 If the file is missing, an error will be raised. The optional 'missing' parameter can be set |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
163 to 'ignore' (e.g. `(missing: ignore)`) to ignore a missing file. |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
164 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
165 ##### http |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
166 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
167 ``` |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
168 %LIST name: http://example.com/ (ttl: number, pattern: pat, hash: sha1, checkcerts: when-sni) |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
169 ``` |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
170 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
171 Fetches a list from a HTTP or HTTPS URL. The following options are accepted: |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
172 |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
173 Option Description |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
174 ------- ----------- |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
175 ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour). |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
176 pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item. |
|
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
177 hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256. |
|
4127
e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents:
4126
diff
changeset
|
178 checkcert Whether to verify HTTPS certificates. May be "always", "never" or "when-sni". Default "when-sni". |
|
e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents:
4126
diff
changeset
|
179 |
|
e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents:
4126
diff
changeset
|
180 The "when-sni" default disables certificate verification when Prosody's HTTP client API doesn't support SNI, |
|
e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents:
4126
diff
changeset
|
181 as in Prosody 0.11.6 and earlier. |
|
4126
68ceb7e0cfe6
mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents:
4072
diff
changeset
|
182 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
183 #### CHECK LIST |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
184 |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
185 Checks whether a simple [expression](#expressions) is found in a given list. |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
186 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
187 Example: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
188 |
|
4583
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
189 %LIST blocked_jids: file:/etc/prosody/blocked_jids.txt |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
190 |
|
4583
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
191 # Rule to block presence subscription requests from blocked JIDs |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
192 KIND: presence |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
193 TYPE: subscribe |
|
4583
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
194 CHECK LIST: blocked_jids contains $<@from> |
|
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
195 BOUNCE=policy-violation (Your JID is blocked) |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
196 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
197 #### SCAN |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
198 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
199 SCAN allows you to search inside a stanza for a given pattern, and check each result against a list. For example, |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
200 you could scan a message body for words and check if any of the words are found in a given list. |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
201 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
202 Before using SCAN, you need to define a search location and a pattern. The search location uses the same 'path' |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
203 format as documented under the 'INSPECT' condition. Patterns can be any valid Lua pattern. |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
204 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
205 To use the above example: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
206 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
207 # Define a search location called 'body' which fetches the text of the 'body' element |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
208 %SEARCH body: body# |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
209 # Define a pattern called 'word' which matches any sequence of letters |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
210 %PATTERN word: [A-Za-z]+ |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
211 # Finally, we also need our list of "bad" words: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
212 %LIST badwords: file:/etc/prosody/bad_words.txt |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
213 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
214 # Now we can use these to SCAN incoming stanzas |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
215 # If it finds a match, bounce the stanza |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
216 SCAN: body for word in badwords |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
217 BOUNCE=policy-violation (This word is not allowed!) |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
218 |
|
2545
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
219 #### COUNT |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
220 |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
221 COUNT is similar to SCAN, in that it uses a defined SEARCH and breaks it up according to a PATTERN. Then it |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
222 counts the number of results. |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
223 |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
224 For example, to block every message with more than one URL: |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
225 |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
226 # Define a search location called 'body' which fetches the text of the 'body' element |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
227 %SEARCH body: body# |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
228 # Define a pattern called 'url' which matches HTTP links |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
229 %PATTERN url: https?://%S+ |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
230 |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
231 COUNT: url in body > 1 |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
232 BOUNCE=policy-violation (Up to one HTTP URL is allowed in messages) |
|
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2540
diff
changeset
|
233 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
234 ### Stanza matching |
| 1782 | 235 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
236 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
237 ----------- ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
238 `KIND` The kind of stanza. May be 'message', 'presence' or 'iq' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
239 `TYPE` The type of stanza. This varies depending on the kind of stanza. See 'Stanza types' below for more information. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
240 `PAYLOAD` The stanza contains a child with the given namespace. Useful for determining the type of an iq request, or whether a message contains a certain extension. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
241 `INSPECT` The node at the specified path exists or matches a given string. This allows you to look anywhere inside a stanza. See below for examples and more. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
242 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
243 #### Stanza types |
| 1782 | 244 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
245 Stanza Valid types |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
246 ---------- ------------------------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
247 iq get, set, result, error |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
248 presence *available*, unavailable, probe, subscribe, subscribed, unsubscribe, unsubscribed, error |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
249 message normal, chat, groupchat, headline, error |
| 1782 | 250 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
251 **Note:** The type 'available' for presence does not actually appear in |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
252 the protocol. Available presence is signalled by the omission of a type. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
253 Similarly, a message stanza with no type is equivalent to one of type |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
254 'normal'. mod\_firewall handles these cases for you automatically. |
| 1782 | 255 |
|
5726
0ac4545cb4f9
mod_firewall: Tweak page outline
Kim Alvefur <zash@zash.se>
parents:
5530
diff
changeset
|
256 #### Sender/recipient matching |
| 1782 | 257 |
|
5530
8226ac08484e
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents:
5529
diff
changeset
|
258 Condition Matches |
|
8226ac08484e
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents:
5529
diff
changeset
|
259 --------------- ------------------------------------------------------- |
|
8226ac08484e
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents:
5529
diff
changeset
|
260 `FROM` The JID in the 'from' attribute matches the given JID. |
|
8226ac08484e
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents:
5529
diff
changeset
|
261 `TO` The JID in the 'to' attribute matches the given JID. |
|
8226ac08484e
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents:
5529
diff
changeset
|
262 `TO SELF` The stanza is sent by any of a user's resources to their own bare JID. |
|
8226ac08484e
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents:
5529
diff
changeset
|
263 `TO FULL JID` The stanza is addressed to a **valid** full JID on the local server (full JIDs include a resource at the end, and only exist for the lifetime of a single session, therefore the recipient **must be online**, or this check will not match). |
|
8226ac08484e
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents:
5529
diff
changeset
|
264 `FROM FULL JID` The stanza is from a full JID (unlike `TO FULL JID` this check is on the format of the JID only). |
| 1782 | 265 |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
266 The TO and FROM conditions both accept wildcards in the JID when it is |
|
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
267 enclosed in angle brackets ('\<...\>'). For example: |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
268 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
269 # All users at example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
270 FROM: <*>@example.com |
| 1782 | 271 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
272 # The user 'admin' on any subdomain of example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
273 FROM: admin@<*.example.com> |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
274 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
275 You can also use [Lua's pattern |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
276 matching](http://www.lua.org/manual/5.1/manual.html#5.4.1) for more |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
277 powerful matching abilities. Patterns are a lightweight |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
278 regular-expression alternative. Simply contain the pattern in double |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
279 angle brackets. The pattern is automatically anchored at the start and |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
280 end (so it must match the entire portion of the JID). |
| 1782 | 281 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
282 # Match admin@example.com, and admin1@example.com, etc. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
283 FROM: <<admin%d*>>@example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
284 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
285 **Note:** It is important to know that 'example.com' is a valid JID on |
|
4583
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
286 its own, and does **not** match 'user@example.com'. To efficiently match |
|
bb8459c220c9
mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents:
4236
diff
changeset
|
287 domains we recommend defining them as [Zones](#zones). |
| 1782 | 288 |
| 2047 | 289 Condition Matches |
| 290 ---------------- --------------------------------------------------------------- | |
| 291 `FROM_EXACTLY` The JID in the 'from' attribute exactly matches the given JID | |
| 292 `TO_EXACTLY` The JID in the 'to' attribute exactly matches the given JID | |
|
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
293 |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
294 These additional conditions do not support pattern matching, but are |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
295 useful to match the exact to/from address on a stanza. For example, if |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
296 no resource is specified then only bare JIDs will be matched. TO and FROM |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
297 match all resources if no resource is specified to match. |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
298 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
299 **Note:** Some chains execute before Prosody has performed any |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
300 normalisation or validity checks on the to/from JIDs on an incoming |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
301 stanza. It is not advisable to perform access control or similar rules |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
302 on JIDs in these chains (see the [chain documentation](#chains) for more info). |
| 1782 | 303 |
|
5727
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
304 #### GeoIP matching |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
305 |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
306 Condition Matches |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
307 ---------------- -------------------------------------------------------------- |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
308 `FROM COUNTRY` Two or three letter country code looked up in GeoIP database |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
309 |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
310 This condition uses a GeoIP database to look up the origin country of |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
311 the IP attached to the current session. |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
312 |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
313 For example: |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
314 |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
315 # 3 letter country code |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
316 FROM COUNTRY: SWE |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
317 |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
318 # or 2 letter |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
319 FROM COUNTRY: SE |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
320 |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
321 # Explicit |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
322 FROM COUNTRY: code=SE |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
323 FROM COUNTRY: code3=SWE |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
324 |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
325 **Note:** This requires that the `lua-geoip` and `geoip-database` |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
326 packages are installed (on Debian, package names may differ on other |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
327 operating systems). |
|
ad5c77793750
mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents:
5726
diff
changeset
|
328 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
329 #### INSPECT |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
330 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
331 INSPECT takes a 'path' through the stanza to get a string (an attribute |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
332 value or text content). An example is the best way to explain. Let's |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
333 check that a user is not trying to register an account with the username |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
334 'admin'. This stanza comes from [XEP-0077: In-band |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
335 Registration](http://xmpp.org/extensions/xep-0077.html#example-4): |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
336 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
337 ``` xml |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
338 <iq type='set' id='reg2'> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
339 <query xmlns='jabber:iq:register'> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
340 <username>bill</username> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
341 <password>Calliope</password> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
342 <email>bard@shakespeare.lit</email> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
343 </query> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
344 </iq> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
345 ``` |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
346 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
347 KIND: iq |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
348 TYPE: set |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
349 PAYLOAD: jabber:iq:register |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
350 INSPECT: {jabber:iq:register}query/username#=admin |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
351 BOUNCE=not-allowed (The username 'admin' is reserved.) |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
352 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
353 That weird string deserves some explanation. It is a path, divided into |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
354 segments by '/'. Each segment describes an element by its name, |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
355 optionally prefixed by its namespace in curly braces ('{...}'). If the |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
356 path ends with a '\#' then the text content of the last element will be |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
357 returned. If the path ends with '@name' then the value of the attribute |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
358 'name' will be returned. |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
359 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
360 You can use INSPECT to test for the existence of an element or attribute, |
|
4235
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
361 or you can check if it matches a specific value, e.g. by appending `=VALUE` |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
362 (like in the example above, that checks if the content of username is 'admin'). |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
363 |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
364 #### INSPECT comparison operators |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
365 |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
366 As well as checking for an exact string match, there are some other modifiers |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
367 you can apply to the comparison: |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
368 |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
369 Comparison Matches when |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
370 ------------- ------------------------------------------------------- |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
371 `=` The value is exactly the given string. |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
372 `/=` The value is or *contains* the given string (e.g. `/=admin` would match `administrator` or `myadmin`). |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
373 `~=` The value matches the given [Lua pattern](https://www.lua.org/manual/5.2/manual.html#6.4.1). |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
374 |
|
4235
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
375 Finally, if the comparison operator is preceded by a `$` character, [expressions](#expressions) |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
376 will be interpreted in the string following the comparison operator. |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
377 |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
378 e.g. `INSPECT: {jabber:iq:register}query/username}$/=$(session.host)` would match |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
379 if the username of an account registration contained the session's current hostname |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
380 somewhere in it. |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
381 |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
382 #### INSPECT performance |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
383 |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
384 INSPECT can be somewhat slower than the other stanza matching conditions. To |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
385 minimise performance impact, always place it below other faster |
|
4235
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
386 condition checks where possible (e.g. in the example above we first checked KIND, |
|
45606c9f529a
mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents:
4169
diff
changeset
|
387 TYPE and PAYLOAD matched what we wanted before reaching the INSPECT rule). |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
388 |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
389 ### Roster |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
390 |
|
4966
4ffd6551f4bb
mod_firewall: README: Clarify when storage access can occur with roster checks
Matthew Wild <mwild1@gmail.com>
parents:
4965
diff
changeset
|
391 These conditions access the roster of the recipient (only). Therefore they cannot (currently) |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
392 be used in some [chains](#chains), such as for outgoing messages (the recipient may be on another server). |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
393 |
|
4966
4ffd6551f4bb
mod_firewall: README: Clarify when storage access can occur with roster checks
Matthew Wild <mwild1@gmail.com>
parents:
4965
diff
changeset
|
394 Performance note: these checks can potentially cause storage access (especially if the recipient |
|
4967
1e8381f0d0a8
mod_firewall: README: Fix grammar and further improve wording
Matthew Wild <mwild1@gmail.com>
parents:
4966
diff
changeset
|
395 is currently offline), so you may want to limit their use in high-traffic situations, and place rules |
|
4966
4ffd6551f4bb
mod_firewall: README: Clarify when storage access can occur with roster checks
Matthew Wild <mwild1@gmail.com>
parents:
4965
diff
changeset
|
396 containing a roster check below other rules (such as a rate limiter). The storage access is |
|
4967
1e8381f0d0a8
mod_firewall: README: Fix grammar and further improve wording
Matthew Wild <mwild1@gmail.com>
parents:
4966
diff
changeset
|
397 performed unconditionally just before evaluation of the first rule that contains a roster-based |
|
1e8381f0d0a8
mod_firewall: README: Fix grammar and further improve wording
Matthew Wild <mwild1@gmail.com>
parents:
4966
diff
changeset
|
398 condition, even if earlier conditions in that rule do not match. |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
399 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
400 #### IN ROSTER |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
401 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
402 Tests whether the sender is in the recipient's roster. |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
403 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
404 IN ROSTER? |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
405 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
406 #### IN ROSTER GROUP |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
407 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
408 Tests whether the sender is in the recipient's roster, and in the named group. |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
409 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
410 IN ROSTER GROUP: Friends |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
411 |
|
2410
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
412 #### SUBSCRIBED |
|
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
413 |
|
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
414 Tests whether the recipient is subscribed to the sender, ie will receive |
|
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
415 presence updates from them. |
|
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
416 |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
417 Note that this *does* work, regardless of direction and which [chain](#chain) is |
|
2410
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
418 used, since both the sender and the recipient will have mirrored roster |
|
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
419 entries. |
|
898e70e85185
mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents:
2390
diff
changeset
|
420 |
|
2390
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
421 ### Groups |
|
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
422 |
|
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
423 Using Prosody's mod\_groups it is possible to define groups of users on the server. You can |
|
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
424 match based on these groups in firewall rules. |
|
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
425 |
|
2594
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
426 Condition Matches |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
427 ----------------- ---------------------------- |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
428 `FROM GROUP` When the stanza is being sent from a member of the named group |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
429 `TO GROUP` When the stanza is being sent to a member of the named group |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
430 `CROSSING GROUPS` When the stanza is being sent between users of different named groups |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
431 |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
432 #### CROSSING GROUPS |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
433 |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
434 The `CROSSING GROUPS` condition takes a comma-separated list of groups to check. If the |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
435 sender and recipient are not in the same group (only the listed groups are checked), then the |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
436 this condition matches and the stanza is deemed to be crossing between groups. |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
437 |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
438 For example, if you had three groups: Engineering, Marketing and Employees. All users are |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
439 members of the 'Employees' group, and the others are for employees of the named department only. |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
440 |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
441 To prevent employees in the marketing department from communicating with engineers, you could use |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
442 the following rule: |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
443 |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
444 ``` |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
445 CROSSING GROUPS: Marketing, Engineering |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
446 BOUNCE=policy-violation (no communication between these groups is allowed!) |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
447 ``` |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
448 |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
449 This works, even though both the users are in the 'Employees' group, because that group is not listed |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
450 in the condition. |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
451 |
|
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2576
diff
changeset
|
452 In the above example, a user who is member of both groups is not restricted. |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
453 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
454 #### SENT DIRECTED PRESENCE TO SENDER |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
455 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
456 This condition matches if the recipient of a stanza has previously sent directed presence to the sender of the stanza. This |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
457 is often done in XMPP to exchange presence information with JIDs that are not on your roster, such as MUC rooms. |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
458 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
459 This condition does not take a parameter - end the condition name with a question mark: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
460 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
461 # Rule to bounce messages from senders not in the roster who haven't been sent directed presence |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
462 NOT IN ROSTER? |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
463 NOT SENT DIRECTED PRESENCE TO SENDER? |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
464 BOUNCE=service-unavailable |
|
2390
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
465 |
|
5002
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
466 ### Permissions |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
467 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
468 Rules can consult Prosody's internal role and permissions system to check whether a certain action may |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
469 be performed. The acting entity, their role, and appropriate context is automatically inferred. All you |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
470 need to do is provide the identifier of the permission that should be checked. |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
471 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
472 Condition Description |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
473 ----------------------- -------------------------------------------------------------------- |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
474 `MAY=permission` Checks whether 'permission' is allowed in the current context. |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
475 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
476 As with all other conditions, `MAY` can be combined with `NOT` to negate the result of the check. |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
477 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
478 Example, blocking outgoing stanzas from users with roles that do not allow the 'xmpp:federate' permission: |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
479 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
480 ``` |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
481 ::deliver_remote |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
482 MAY NOT: xmpp:federate |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
483 BOUNCE=policy-violation (You are not allowed access to the federation) |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
484 ``` |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
485 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
486 ### Roles |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
487 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
488 Condition Matches |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
489 ---------------- ------------------------------------------------------------------------------------- |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
490 `TO ROLE` When the recipient JID of the stanza has the named role |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
491 `FROM ROLE` When the sender JID of the stanza has the named role |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
492 |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
493 **Note:** In most cases, you should avoid checking for specific roles, and instead check for |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
494 permissions granted by those roles (using the 'MAY' condition). |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
495 |
|
2390
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
496 ### Admins |
|
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
497 |
|
5002
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
498 **Deprecated:** These conditions should no longer be used. Prefer 'MAY', 'TO ROLE' or 'FROM ROLE'. |
|
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4967
diff
changeset
|
499 |
|
2390
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
500 Prosody allows certain JIDs to be declared as administrators of a host, component or the whole server. |
|
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
501 |
|
2576
95b79d515a65
mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2559
diff
changeset
|
502 Condition Matches |
|
95b79d515a65
mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2559
diff
changeset
|
503 ---------------- ------------------------------------------------------------------------------------- |
|
95b79d515a65
mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2559
diff
changeset
|
504 `TO ADMIN` When the recipient of the stanza is admin of the current host |
|
95b79d515a65
mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2559
diff
changeset
|
505 `FROM ADMIN` When the sender of the stanza is admin of the current host |
|
95b79d515a65
mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2559
diff
changeset
|
506 `FROM ADMIN OF` When the sender of the stanza is an admin of the named host on the current server |
|
95b79d515a65
mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2559
diff
changeset
|
507 `TO ADMIN OF` When the recipient of the stanza is an admin of the named host on the current server |
|
2390
28fbe960adcf
mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents:
2389
diff
changeset
|
508 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
509 ### Time and date |
| 1782 | 510 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
511 #### TIME |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
512 |
| 1782 | 513 Matches stanzas sent during certain time periods. |
| 514 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
515 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
516 ----------- ------------------------------------------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
517 TIME When the current server local time is within one of the comma-separated time ranges given |
| 1782 | 518 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
519 TIME: 10pm-6am, 14:00-15:00 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
520 REPLY=Zzzz. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
521 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
522 #### DAY |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
523 |
| 1782 | 524 It is also possible to match only on certain days of the week. |
| 525 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
526 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
527 ----------- ----------------------------------------------------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
528 DAY When the current day matches one, or falls within a rage, in the given comma-separated list of days |
| 1782 | 529 |
| 530 Example: | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
531 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
532 DAY: Sat-Sun, Wednesday |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
533 REPLY=Sorry, I'm out enjoying life! |
| 1782 | 534 |
|
2102
2c225b4b93d2
mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents:
2096
diff
changeset
|
535 All times and dates are handled in the server's local time. |
|
2c225b4b93d2
mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents:
2096
diff
changeset
|
536 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
537 ### Rate-limiting |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
538 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
539 It is possible to selectively rate-limit stanzas, and use rules to |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
540 decide what to do with stanzas when over the limit. |
| 1782 | 541 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
542 First, you must define any rate limits that you are going to use in your |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
543 script. Here we create a limiter called 'normal' that will allow 2 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
544 stanzas per second, and then we define a rule to bounce messages when |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
545 over this limit. Note that the `RATE` definition is not part of a rule |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
546 (multiple rules can share the same limiter). |
| 1782 | 547 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
548 %RATE normal: 2 (burst 3) |
| 1782 | 549 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
550 KIND: message |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
551 LIMIT: normal |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
552 BOUNCE=policy-violation (Sending too fast!) |
| 1782 | 553 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
554 The 'burst' parameter on the rate limit allows you to spread the limit |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
555 check over a given time period. For example the definition shown above |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
556 will allow the limit to be temporarily surpassed, as long as it is |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
557 within the limit after 3 seconds. You will almost always want to specify |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
558 a burst factor. |
| 1782 | 559 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
560 Both the rate and the burst can be fractional values. For example a rate |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
561 of 0.1 means only one event is allowed every 10 seconds. |
| 1782 | 562 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
563 The LIMIT condition actually does two things; first it counts against |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
564 the given limiter, and then it checks to see if the limiter over its |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
565 limit yet. If it is, the condition matches, otherwise it will not. |
| 1782 | 566 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
567 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
568 ----------- -------------------------------------------------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
569 `LIMIT` When the named limit is 'used up'. Using this condition automatically counts against that limit. |
| 1782 | 570 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
571 **Note:** Reloading mod\_firewall resets the current state of any |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
572 limiters. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
573 |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
574 #### Dynamic limits |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
575 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
576 Sometimes you may want to have multiple throttles in a single condition, using some property of the session or stanza |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
577 to determine which throttle to use. For example, you might have a limit for incoming stanzas, but you want to limit by |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
578 sending JID, instead of all incoming stanzas sharing the same limit. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
579 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
580 You can use the 'on' keyword for this, like so: |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
581 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
582 LIMIT: normal on EXPRESSION |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
583 |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
584 For more information on [expressions](#expressions), see the section later in this document. |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
585 |
|
2370
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
586 Each value of 'EXPRESSION' has to be tracked individually in a table, which uses a small amount of memory. To prevent |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
587 memory exhaustion, the number of tracked values is limited to 1000 by default. You can override this by setting the |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
588 maximum number of table entries when you define the rate: |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
589 |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
590 %RATE normal: 2 (burst 3) (entries 4096) |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
591 |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
592 Old values are automatically removed from the tracking table. However if the tracking table becomes full, new entries |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
593 will be rejected - it will behave as if the rate limit was reached, even for values that have not been seen before. Since |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
594 this opens up a potential denial of service (innocent users may be affected if malicious users can fill up the tracking |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
595 table within the limit period). You can choose to instead "fail open", and allow the rate limit to be temporarily bypassed |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
596 when the table is full. To choose this behaviour, add `(allow overflow)` to the RATE definition. |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
597 |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
598 ### Session marking |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
599 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
600 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
601 `ORIGIN_MARKED` condition. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
602 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
603 Condition Description |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
604 ------------------------------- --------------------------------------------------------------- |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
605 ORIGIN MARKED: markname Matches if the origin has been marked with 'markname'. |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
606 ORIGIN MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds. |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
607 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
608 Example usage: |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
609 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
610 # This rule drops messages from sessions that have been marked as spammers in the past hour |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
611 ORIGIN MARKED: spammer (3600s) |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
612 DROP. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
613 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
614 # This rule marks the origin session as a spammer if they send a message to a honeypot JID |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
615 KIND: message |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
616 TO: honeypot@example.com |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
617 MARK ORIGIN=spammer |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
618 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
619 Actions |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
620 ------- |
| 1782 | 621 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
622 Actions come after all conditions in a rule block. There must be at |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
623 least one action, though conditions are optional. |
| 1782 | 624 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
625 An action without parameters ends with a full-stop/period ('.'), and one |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
626 with parameters uses an equals sign ('='): |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
627 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
628 # An action with no parameters: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
629 DROP. |
| 1782 | 630 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
631 # An action with a parameter: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
632 REPLY=Hello, this is a reply. |
| 1782 | 633 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
634 ### Route modification |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
635 |
|
5234
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
636 The following common actions modify the stanza's route in some way. These |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
637 rules will halt further processing of the stanza - no further actions will be |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
638 executed, and no further rules will be checked. |
| 1782 | 639 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
640 Action Description |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
641 ----------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
2559
99b32f77f00d
mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
642 `PASS.` Stop executing actions and rules on this stanza, and let it through this chain and any calling chains. |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
643 `DROP.` Stop executing actions and rules on this stanza, and discard it. |
|
2559
99b32f77f00d
mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
644 `DEFAULT.` Stop executing actions and rules on this stanza, prevent any other scripts/modules from handling it, to trigger the appropriate default "unhandled stanza" behaviour. Do not use in custom chains (it is treated as PASS). |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
645 `REDIRECT=jid` Redirect the stanza to the given JID. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
646 `BOUNCE.` Bounce the stanza with the default error (usually service-unavailable) |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
647 `BOUNCE=error` Bounce the stanza with the given error (MUST be a defined XMPP stanza error, see [RFC6120](http://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions). |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
648 `BOUNCE=error (text)` As above, but include the supplied human-readable text with a description of the error |
|
5234
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
649 |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
650 **Note:** It is incorrect behaviour to reply to an 'error' stanza with another error, so BOUNCE will simply act the same as 'DROP' for stanzas that should not be bounced (error stanzas and iq results). |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
651 |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
652 ### Replying and forwarding |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
653 |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
654 These actions cause a new stanza to be generated and sent somewhere. |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
655 Processing of the original stanza will continue beyond these actions. |
|
f6c71d9d6dc0
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents:
5002
diff
changeset
|
656 |
|
5235
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
657 Action Description |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
658 ------------------------ --------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
659 `REPLY=text` Reply to the stanza (assumed to be a message) with the given text. |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
660 `COPY=jid` Make a copy of the stanza and send the copy to the specified JID. The copied stanza flows through Prosody's routing code, and as such is affected by firewall rules. Be careful to avoid loops. |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
661 `FORWARD=jid` Forward a copy of the stanza to the given JID (using XEP-0297). The stanza will be sent from the current host's JID. |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
662 |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
663 ### Reporting |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
664 |
|
5862
1ae8f7b3787a
mod_firewall: Fix REPORT TO action name in documentation
Matthew Wild <mwild1@gmail.com>
parents:
5727
diff
changeset
|
665 Action Description |
|
1ae8f7b3787a
mod_firewall: Fix REPORT TO action name in documentation
Matthew Wild <mwild1@gmail.com>
parents:
5727
diff
changeset
|
666 ------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
1ae8f7b3787a
mod_firewall: Fix REPORT TO action name in documentation
Matthew Wild <mwild1@gmail.com>
parents:
5727
diff
changeset
|
667 `REPORT TO=jid [reason] [text]` Forwards the full stanza to `jid` with a XEP-0377 abuse report attached. |
|
5235
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
668 |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
669 Only the `jid` is mandatory. The `reason` parameter should be either `abuse`, `spam` or a custom URI. If not specified, it defaults to `abuse`. |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
670 After the reason, some human-readable text may be included to explain the report. |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
671 |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
672 Example: |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
673 |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
674 ``` |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
675 KIND: message |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
676 TO: honeypot@example.com |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
677 REPORT TO=antispam.example.com spam Caught by the honeypot! |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
678 DROP. |
|
d0d251abf595
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents:
5234
diff
changeset
|
679 ``` |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
680 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
681 ### Stanza modification |
| 1782 | 682 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
683 These actions make it possible to modify the content and structure of a |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
684 stanza. |
| 1782 | 685 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
686 Action Description |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
687 ------------------------ ------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
688 `STRIP=name` Remove any child elements with the given name in the default namespace |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
689 `STRIP=name namespace` Remove any child elements with the given name and the given namespace |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
690 `INJECT=xml` Inject the given XML into the stanza as a child element |
| 1782 | 691 |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
692 ### Sessions |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
693 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
694 It is possible to mark sessions, and then use these marks to match rules later on. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
695 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
696 Action Description |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
697 ------------------------ -------------------------------------------------------------------------- |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
698 `MARK ORIGIN=mark` Marks the originating session with the given flag. |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
699 `UNMARK ORIGIN=mark` Removes the given mark from the origin session (if it is set). |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
700 |
|
2114
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
701 **Note:** Marks apply to sessions, not JIDs. E.g. if marking in a rule that matches a stanza received |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
702 over s2s, it is the s2s session that is marked. |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
703 |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
704 It is possible to have multiple marks on an origin at any given time. |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
705 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
706 ### Informational |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
707 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
708 Action Description |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
709 --------------- ------------------------------------------------------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
710 `LOG=message` Logs the given message to Prosody's log file. Optionally prefix it with a log level in square brackets, e.g. `[debug]` |
|
2093
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
711 |
|
4236
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
712 You can include [expressions](#expressions) in log messages, using `$(...)` syntax. For example, to log the stanza that matched the rule, |
|
c316ad1087d4
mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents:
4235
diff
changeset
|
713 you can use `$(stanza)`, or to log just the top tag of the stanza, use `$(stanza:top_tag())`. To fetch the sender JID, use `$(stanza.attr.from)`. |
|
2093
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
714 |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
715 Example: |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
716 |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
717 # Log all stanzas to user@example.com: |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
718 TO: user@example.com |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
719 LOG=[debug] User received: $(stanza) |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
720 |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
721 More info about expressions can be found below. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
722 |
|
2096
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
723 Chains |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
724 ------ |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
725 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
726 Rules are grouped into "chains", which are injected at particular points in Prosody's routing code. |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
727 |
|
2559
99b32f77f00d
mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
728 Available built-in chains are: |
|
2096
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
729 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
730 Chain Description |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
731 -------------- ------------------------------------------------------------------------------------------- |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
732 deliver Applies to stanzas delivered to local recipients (regardless of the stanza's origin) |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
733 deliver_remote Applies to stanzas delivered to remote recipients (just before they leave the local server) |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
734 preroute Applies to incoming stanzas from local users, before any routing rules are applied |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
735 |
|
2111
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
736 A chain is begun by a line `::name` where 'name' is the name of the chain you want the following rules to be |
|
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
737 inserted into. If no chain is specified, rules are put into the 'deliver' chain. |
|
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
738 |
|
4965
d7684aa81d8f
mod_firewall: README: Correct mention of 'JUMP_CHAIN' to 'JUMP CHAIN'
Matthew Wild <mwild1@gmail.com>
parents:
4583
diff
changeset
|
739 It is possible to create custom chains (useful with the `JUMP CHAIN` action described below). User-created |
|
2111
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
740 chains must begin with "user/", e.g. "user/spam_filtering". |
|
2096
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
741 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
742 Example of chain use: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
743 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
744 # example.com's firewall script |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
745 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
746 # This line is optional, because 'deliver' is the default chain anyway: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
747 ::deliver |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
748 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
749 # This rule matches any stanzas delivered to our local user bob: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
750 TO: bob@example.com |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
751 DROP. |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
752 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
753 # Oops! This rule will never match, because alice is not a local user, |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
754 # and only stanzas to local users go through the 'deliver' chain: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
755 TO: alice@remote.example.com |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
756 DROP. |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
757 |
|
2104
384fb28452b9
mod_firewall: README: Improve chain usage example comments
Matthew Wild <mwild1@gmail.com>
parents:
2103
diff
changeset
|
758 # Create a 'preroute' chain of rules (matched for incoming stanzas from local clients): |
|
2096
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
759 ::preroute |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
760 # These rules are matched for outgoing stanzas from local clients |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
761 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
762 # This will match any stanzas sent to alice from a local user: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
763 TO: alice@remote.example.com |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
764 DROP. |
|
2105
f2d5aa789646
mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
765 |
|
f2d5aa789646
mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
766 Action Description |
|
f2d5aa789646
mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
767 ------------------------ ------------------------------------------------------------------------ |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
768 `JUMP CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing. |
|
2559
99b32f77f00d
mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
769 `RETURN.` Stops executing the current chain and returns to the parent chain. For built-in chains, equivalent to PASS. RETURN is implicit at the end of every chain. |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
770 |
|
2389
a753b21968c5
mod_firewall: README: Clarify that it's possible to jump to chains defined outside of the current file
Matthew Wild <mwild1@gmail.com>
parents:
2388
diff
changeset
|
771 It is possible to jump to chains defined by other scripts and modules. |
|
a753b21968c5
mod_firewall: README: Clarify that it's possible to jump to chains defined outside of the current file
Matthew Wild <mwild1@gmail.com>
parents:
2388
diff
changeset
|
772 |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
773 Expressions |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
774 ----------- |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
775 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
776 Some conditions and actions in rules support "expressions" in their parameters (their documentation will indicate if this is the case). Most parameters |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
777 are static once the firewall script is loaded and compiled internally, however parameters that allow expressions can be dynamically calculated when a |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
778 rule is being run. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
779 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
780 There are two kinds of expression that you can use: stanza expressions, and code expressions. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
781 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
782 ### Stanza expressions |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
783 |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
784 Stanza expressions are of the form `$<...>`, where `...` is a stanza path. For syntax of stanza paths, see the documentation for the 'INSPECT' condition |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
785 above. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
786 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
787 Example: |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
788 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
789 LOG=Matched a stanza from $<@from> to $<@to> |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
790 |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
791 There are built in functions which can be applied to the output of a stanza expression, by appending the pipe ('|') operator, followed by the function |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
792 name. These functions are: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
793 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
794 Function Description |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
795 ------------ --------------------------------------- |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
796 bare Given a JID, strip any resource |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
797 node Return the node ('user part') of a JID |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
798 host Return the host ('domain') part of a JID |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
799 resource Return the resource part of a JID |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
800 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
801 For example, to apply a rate limit to stanzas per sender domain: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
802 |
|
4072
2dcbc01c9931
mod_firewall: Fix example in README to use |host (thanks DebXWoody)
Matthew Wild <mwild1@gmail.com>
parents:
3197
diff
changeset
|
803 LIMIT normal on $<@from|host> |
|
2540
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
804 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
805 If the path does not match (e.g. the element isn't found, or the attribute doesn't exist) or any of the functions fail to produce an output (e.g. an invalid |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
806 JID was passed to a function that only handles valid JIDs) the expression will return the text `<undefined>`. You can override this by ending the expression |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
807 with a double pipe ('||') followed by a quoted string to use as a default instead. E.g. to default to the string "normal" when there is no 'type' attribute: |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
808 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
809 LOG=Stanza type is $<@type||"normal"> |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
810 |
|
d637bc0ac604
mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents:
2410
diff
changeset
|
811 ### Code expressions |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
812 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
813 Code expressions use `$(...)` syntax. Code expressions are powerful, and allow unconstrained access to Prosody's internal environment. Therefore |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
814 code expressions are typically for advanced use-cases only. You may want to refer to Prosody's [developer documentation](https://prosody.im/doc/developers) |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
815 for more information. In particular, within code expressions you may access the 'session' object, which is the session object of the origin of the stanza, |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
816 and the 'stanza' object, which is the stanza being considered within the current rule. Whatever value the expression returns will be converted to a string. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
817 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
818 Example to limit stanzas per session type: |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
819 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
820 LIMIT: normal on $(session.type) |
