Changeset

515:e98fe28c50b0

mod_host_guard: added exceptions/whitelisting to the blockall logic (makes little sense otherwise has s2s_disallow = true does the same)
author Marco Cirillo <maranda@lightwitch.org>
date Tue, 20 Dec 2011 20:19:53 +0000
parents 514:46e1983486e9
children 516:3d3687fef751
files mod_host_guard/mod_host_guard.lua
diffstat 1 files changed, 5 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_host_guard/mod_host_guard.lua	Mon Dec 19 12:29:03 2011 +0000
+++ b/mod_host_guard/mod_host_guard.lua	Tue Dec 20 20:19:53 2011 +0000
@@ -4,6 +4,7 @@
 module:set_global()
 
 local guard_blockall = module:get_option_set("host_guard_blockall", {})
+local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {})
 local guard_protect = module:get_option_set("host_guard_selective", {})
 local guard_block_bl = module:get_option_set("host_guard_blacklist", {})
 
@@ -14,7 +15,7 @@
 local _make_connect = s2smanager.make_connect;
 function s2smanager.make_connect(session, connect_host, connect_port)
   if not session.s2sValidation then
-    if guard_blockall:contains(session.from_host) or
+    if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or
        guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
          module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host);
          s2smanager.destroy_session(session, "You're not authorized, good bye.");
@@ -34,7 +35,7 @@
       session.s2sValidation = true;
     end
 
-    if guard_blockall:contains(host) or
+    if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or
        guard_block_bl:contains(from) and guard_protect:contains(host) then
          module:log("error", "remote service %s attempted to access restricted host %s", from, host);
          session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
@@ -47,7 +48,7 @@
 	local origin, stanza = event.origin, event.stanza;
 
 	if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
-	   if guard_blockall:contains(stanza.attr.to) or 
+	   if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or
 	      guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
                 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to);
                 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
@@ -79,6 +80,7 @@
 local function reload()
 	module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
 	guard_blockall = module:get_option_set("host_guard_blockall", {});
+	guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {});
 	guard_protect = module:get_option_set("host_guard_components", {});
 	guard_block_bl = module:get_option_set("host_guard_blacklist", {});
 end