annotate mod_firewall/mod_firewall.lua @ 2573:24dbad147aef

mod_firewall: Fix meta functions with to/from that weren't JID-based
author Matthew Wild <mwild1@gmail.com>
date Sat, 25 Feb 2017 15:46:01 +0000
parents 78efd064aef3
children f65c5927ee8e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 local resolve_relative_path = require "core.configmanager".resolve_relative_path;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local logger = require "util.logger".init;
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
4 local it = require "util.iterators";
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
6 local definitions = module:shared("definitions");
2374
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
7 local active_definitions = {
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
8 ZONE = {
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
9 -- Default zone that includes all local hosts
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
10 ["$local"] = setmetatable({}, { __index = prosody.hosts });
2527
5ff7eb601d60 mod_firewall: Code formatting
Matthew Wild <mwild1@gmail.com>
parents: 2526
diff changeset
11 };
2374
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents: 2368
diff changeset
12 };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
2113
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
14 local default_chains = {
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 preroute = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 type = "event";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 "pre-message/bare", "pre-message/full", "pre-message/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 "pre-presence/bare", "pre-presence/full", "pre-presence/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 "pre-iq/bare", "pre-iq/full", "pre-iq/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 deliver = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 type = "event";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 "message/bare", "message/full", "message/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 "presence/bare", "presence/full", "presence/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 "iq/bare", "iq/full", "iq/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 deliver_remote = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 type = "event"; "route/remote";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
2113
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
35 local extra_chains = module:get_option("firewall_extra_chains", {});
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
36
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
37 local chains = {};
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
38 for k,v in pairs(default_chains) do
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
39 chains[k] = v;
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
40 end
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
41 for k,v in pairs(extra_chains) do
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
42 chains[k] = v;
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
43 end
d75145297bf9 mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents: 2101
diff changeset
44
2124
89363766202c mod_firewall: Add comment to document idsafe()
Matthew Wild <mwild1@gmail.com>
parents: 2118
diff changeset
45 -- Returns the input if it is safe to be used as a variable name, otherwise nil
2099
a8c701631d0b mod_firewall: Make idsafe() a global function so libraries can re-use it
Matthew Wild <mwild1@gmail.com>
parents: 2080
diff changeset
46 function idsafe(name)
2527
5ff7eb601d60 mod_firewall: Code formatting
Matthew Wild <mwild1@gmail.com>
parents: 2526
diff changeset
47 return name:match("^%a[%w_]*$");
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
48 end
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
49
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
50 local meta_funcs = {
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
51 bare = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
52 return "jid_bare("..code..")", {"jid_bare"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
53 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
54 node = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
55 return "(jid_split("..code.."))", {"jid_split"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
56 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
57 host = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
58 return "(select(2, jid_split("..code..")))", {"jid_split"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
59 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
60 resource = function (code)
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
61 return "(select(3, jid_split("..code..")))", {"jid_split"};
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
62 end;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
63 };
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
64
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
65 -- Run quoted (%q) strings through this to allow them to contain code. e.g.: LOG=Received: $(stanza:top_tag())
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
66 function meta(s, deps, extra)
2385
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
67 return (s:gsub("$(%b())", function (expr)
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
68 expr = expr:gsub("\\(.)", "%1");
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
69 return [["..tostring(]]..expr..[[).."]];
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents: 2374
diff changeset
70 end)
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
71 :gsub("$(%b<>)", function (expr)
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
72 expr = expr:sub(2,-2);
2538
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
73 local default = "<undefined>";
2561
3da0e3c917cc mod_firewall: Accept backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents: 2558
diff changeset
74 expr = expr:gsub("||(%b\"\")$", function (default_string)
3da0e3c917cc mod_firewall: Accept backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents: 2558
diff changeset
75 default = stripslashes(default_string:sub(2,-2));
2538
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
76 return "";
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
77 end);
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
78 local func_chain = expr:match("|[%w|]+$");
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
79 if func_chain then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
80 expr = expr:sub(1, -1-#func_chain);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
81 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
82 local code;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
83 if expr:match("^@") then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
84 -- Skip stanza:find() for simple attribute lookup
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
85 local attr_name = expr:sub(2);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
86 if deps and (attr_name == "to" or attr_name == "from" or attr_name == "type") then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
87 -- These attributes may be cached in locals
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
88 code = attr_name;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
89 table.insert(deps, attr_name);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
90 else
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
91 code = "stanza.attr["..("%q"):format(attr_name).."]";
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
92 end
2524
0404476ecfe3 mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents: 2520
diff changeset
93 elseif expr:match("^%w+#$") then
0404476ecfe3 mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents: 2520
diff changeset
94 code = ("stanza:get_child_text(%q)"):format(expr:sub(1, -2));
2368
7e1d8c46d788 mod_firewall: Support for default values in stanza paths
Matthew Wild <mwild1@gmail.com>
parents: 2367
diff changeset
95 else
2524
0404476ecfe3 mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents: 2520
diff changeset
96 code = ("stanza:find(%q)"):format(expr);
2368
7e1d8c46d788 mod_firewall: Support for default values in stanza paths
Matthew Wild <mwild1@gmail.com>
parents: 2367
diff changeset
97 end
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
98 if func_chain then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
99 for func_name in func_chain:gmatch("|(%w+)") do
2573
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
100 -- to/from are already available in local variables, use those if possible
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
101 if (code == "to" or code == "from") and func_name == "bare" then
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
102 code = "bare_"..code;
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
103 table.insert(deps, code);
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
104 elseif (code == "to" or code == "from") and (func_name == "node" or func_name == "host" or func_name == "resource") then
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
105 table.insert(deps, "split_"..code);
24dbad147aef mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents: 2562
diff changeset
106 code = code.."_"..func_name;
2518
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
107 else
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
108 assert(meta_funcs[func_name], "unknown function: "..func_name);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
109 local new_code, new_deps = meta_funcs[func_name](code);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
110 code = new_code;
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
111 if new_deps and #new_deps > 0 then
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
112 assert(deps, "function not supported here: "..func_name);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
113 for _, dep in ipairs(new_deps) do
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
114 table.insert(deps, dep);
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
115 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
116 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
117 end
0e1054c19f9d mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents: 2517
diff changeset
118 end
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
119 end
2538
a1b6a6b0aabb mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents: 2533
diff changeset
120 return "\"..tostring("..code.." or "..("%q"):format(default)..")..\"";
2125
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
121 end)
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
122 :gsub("$$(%a+)", extra or {})
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
123 :gsub([[^""%.%.]], "")
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
124 :gsub([[%.%.""$]], ""));
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
125 end
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents: 2124
diff changeset
126
2547
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
127 function metaq(s, ...)
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
128 return meta(("%q"):format(s), ...);
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
129 end
eb4f45bd7fef mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents: 2546
diff changeset
130
2546
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
131 local escape_chars = {
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
132 a = "\a", b = "\b", f = "\f", n = "\n", r = "\r", t = "\t",
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
133 v = "\v", ["\\"] = "\\", ["\""] = "\"", ["\'"] = "\'"
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
134 };
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
135 function stripslashes(s)
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
136 return (s:gsub("\\(.)", escape_chars));
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
137 end
6e4494772328 mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents: 2544
diff changeset
138
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
139 -- Dependency locations:
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
140 -- <type lib>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
141 -- <type global>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
142 -- function handler()
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
143 -- <local deps>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
144 -- if <conditions> then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
145 -- <actions>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
146 -- end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
147 -- end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
148
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
149 local available_deps = {
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
150 st = { global_code = [[local st = require "util.stanza";]]};
2544
223eea31588d mod_firewall: Add it(erators) and it_count dependencies
Matthew Wild <mwild1@gmail.com>
parents: 2543
diff changeset
151 it = { global_code = [[local it = require "util.iterators";]]};
223eea31588d mod_firewall: Add it(erators) and it_count dependencies
Matthew Wild <mwild1@gmail.com>
parents: 2543
diff changeset
152 it_count = { global_code = [[local it_count = it.count;]], depends = { "it" } };
2548
ce08a57e516b mod_firewall: Add 'current_host' variable/dependency
Matthew Wild <mwild1@gmail.com>
parents: 2547
diff changeset
153 current_host = { global_code = [[local current_host = module.host;]] };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
154 jid_split = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
155 global_code = [[local jid_split = require "util.jid".split;]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
156 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
157 jid_bare = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
158 global_code = [[local jid_bare = require "util.jid".bare;]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
159 };
2412
9159f9166893 mod_firewall: Use the sender bare JID instead of 'to' for stanzas to self
Kim Alvefur <zash@zash.se>
parents: 2404
diff changeset
160 to = { local_code = [[local to = stanza.attr.to or jid_bare(session.full_jid);]]; depends = { "jid_bare" } };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
161 from = { local_code = [[local from = stanza.attr.from;]] };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
162 type = { local_code = [[local type = stanza.attr.type;]] };
2415
07d7036040ee mod_firewall: Insert semicolons after some statements to prevent ambiguous syntax in output (fixes #797)
Kim Alvefur <zash@zash.se>
parents: 2412
diff changeset
163 name = { local_code = [[local name = stanza.name;]] };
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
164 split_to = { -- The stanza's split to address
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
165 depends = { "jid_split", "to" };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
166 local_code = [[local to_node, to_host, to_resource = jid_split(to);]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
167 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
168 split_from = { -- The stanza's split from address
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
169 depends = { "jid_split", "from" };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
170 local_code = [[local from_node, from_host, from_resource = jid_split(from);]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
171 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
172 bare_to = { depends = { "jid_bare", "to" }, local_code = "local bare_to = jid_bare(to)"};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
173 bare_from = { depends = { "jid_bare", "from" }, local_code = "local bare_from = jid_bare(from)"};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
174 group_contains = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
175 global_code = [[local group_contains = module:depends("groups").group_contains]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
176 };
2418
ef95853cf900 mod_firewall: More semicolons
Kim Alvefur <zash@zash.se>
parents: 2416
diff changeset
177 is_admin = { global_code = [[local is_admin = require "core.usermanager".is_admin;]]};
ef95853cf900 mod_firewall: More semicolons
Kim Alvefur <zash@zash.se>
parents: 2416
diff changeset
178 core_post_stanza = { global_code = [[local core_post_stanza = prosody.core_post_stanza;]] };
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
179 zone = { global_code = function (zone)
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
180 assert(idsafe(zone), "Invalid zone name: "..zone);
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
181 return ("local zone_%s = zones[%q] or {};"):format(zone, zone);
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
182 end };
966
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
183 date_time = { global_code = [[local os_date = os.date]]; local_code = [[local current_date_time = os_date("*t");]] };
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
184 time = { local_code = function (what)
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
185 local defs = {};
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
186 for field in what:gmatch("%a+") do
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
187 table.insert(defs, ("local current_%s = current_date_time.%s;"):format(field, field));
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
188 end
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
189 return table.concat(defs, " ");
a65df6e97d94 mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents: 965
diff changeset
190 end, depends = { "date_time" }; };
2418
ef95853cf900 mod_firewall: More semicolons
Kim Alvefur <zash@zash.se>
parents: 2416
diff changeset
191 timestamp = { global_code = [[local get_time = require "socket".gettime;]]; local_code = [[local current_timestamp = get_time();]]; };
2128
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
192 globalthrottle = {
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
193 global_code = function (throttle)
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
194 assert(idsafe(throttle), "Invalid rate limit name: "..throttle);
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
195 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle);
2128
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
196 return ("local global_throttle_%s = rates.%s:single();"):format(throttle, throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
197 end;
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
198 };
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
199 multithrottle = {
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
200 global_code = function (throttle)
2130
9239893a2400 mod_firewall: Don't use util.cache unless it's needed, and add explanatory error if it is not available
Matthew Wild <mwild1@gmail.com>
parents: 2128
diff changeset
201 assert(pcall(require, "util.cache"), "Using LIMIT with 'on' requires Prosody 0.10 or higher");
2128
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
202 assert(idsafe(throttle), "Invalid rate limit name: "..throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
203 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents: 2126
diff changeset
204 return ("local multi_throttle_%s = rates.%s:multi();"):format(throttle, throttle);
971
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
205 end;
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents: 967
diff changeset
206 };
2402
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
207 rostermanager = {
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
208 global_code = [[local rostermanager = require "core.rostermanager";]];
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
209 };
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2130
diff changeset
210 roster_entry = {
2416
ade918cd9ca7 mod_firewall: Only call rostermanager if username is available (fixes #796)
Kim Alvefur <zash@zash.se>
parents: 2415
diff changeset
211 local_code = [[local roster_entry = (to_node and rostermanager.load_roster(to_node, to_host) or {})[bare_from];]];
2402
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
212 depends = { "rostermanager", "split_to", "bare_from" };
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents: 2385
diff changeset
213 };
2520
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
214 list = { global_code = function (list)
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
215 assert(idsafe(list), "Invalid list name: "..list);
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
216 assert(active_definitions.LIST[list], "Unknown list: "..list);
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
217 return ("local list_%s = lists[%q];"):format(list, list);
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
218 end
c6fd8975704b mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents: 2518
diff changeset
219 };
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
220 search = {
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
221 local_code = function (search_name)
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
222 local search_path = assert(active_definitions.SEARCH[search_name], "Undefined search path: "..search_name);
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
223 return ("local search_%s = tostring(stanza:find(%q) or \"\")"):format(search_name, search_path);
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
224 end;
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
225 };
2543
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
226 pattern = {
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
227 local_code = function (pattern_name)
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
228 local pattern = assert(active_definitions.PATTERN[pattern_name], "Undefined pattern: "..pattern_name);
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
229 return ("local pattern_%s = %q"):format(pattern_name, pattern);
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
230 end;
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
231 };
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
232 tokens = {
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
233 local_code = function (search_and_pattern)
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
234 local search_name, pattern_name = search_and_pattern:match("^([^%-]+)_(.+)$");
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
235 local code = ([[local tokens_%s_%s = {};
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
236 if search_%s then
2543
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
237 for s in search_%s:gmatch(pattern_%s) do
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
238 tokens_%s_%s[s] = true;
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
239 end
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
240 end
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
241 ]]):format(search_name, pattern_name, search_name, search_name, pattern_name, search_name, pattern_name);
2543
3c16f0a8d66c mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents: 2539
diff changeset
242 return code, { "search:"..search_name, "pattern:"..pattern_name };
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
243 end;
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
244 };
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
245 scan_list = {
2533
9aed7f4e9f07 mod_firewall: Fix scan_list() syntax error in generated code
Matthew Wild <mwild1@gmail.com>
parents: 2528
diff changeset
246 global_code = [[local function scan_list(list, items) for item in pairs(items) do if list:contains(item) then return true; end end end]];
2528
44a71584521d mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents: 2527
diff changeset
247 }
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
248 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
249
2077
368b091e723b mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents: 2076
diff changeset
250 local function include_dep(dependency, code)
368b091e723b mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents: 2076
diff changeset
251 local dep, dep_param = dependency:match("^([^:]+):?(.*)$");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
252 local dep_info = available_deps[dep];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
253 if not dep_info then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
254 module:log("error", "Dependency not found: %s", dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
255 return;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
256 end
2517
3990b1bca308 mod_firewall: Fix circular dependency check
Matthew Wild <mwild1@gmail.com>
parents: 2464
diff changeset
257 if code.included_deps[dep] ~= nil then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
258 if code.included_deps[dep] ~= true then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
259 module:log("error", "Circular dependency on %s", dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
260 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
261 return;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
262 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
263 code.included_deps[dep] = false; -- Pending flag (used to detect circular references)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
264 for _, dep_dep in ipairs(dep_info.depends or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
265 include_dep(dep_dep, code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
266 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
267 if dep_info.global_code then
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
268 if dep_param ~= "" then
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
269 local global_code, deps = dep_info.global_code(dep_param);
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
270 if deps then
2562
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
271 for _, dep_dep in ipairs(deps) do
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
272 include_dep(dep_dep, code);
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
273 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
274 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
275 table.insert(code.global_header, global_code);
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
276 else
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
277 table.insert(code.global_header, dep_info.global_code);
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
278 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
279 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
280 if dep_info.local_code then
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
281 if dep_param ~= "" then
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
282 local local_code, deps = dep_info.local_code(dep_param);
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
283 if deps then
2562
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
284 for _, dep_dep in ipairs(deps) do
78efd064aef3 mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents: 2561
diff changeset
285 include_dep(dep_dep, code);
2525
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
286 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
287 end
a35d85cfda92 mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents: 2524
diff changeset
288 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..local_code.."\n");
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
289 else
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
290 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code.."\n");
965
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents: 960
diff changeset
291 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
292 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
293 code.included_deps[dep] = true;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
294 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
295
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
296 local definition_handlers = module:require("definitions");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
297 local condition_handlers = module:require("conditions");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
298 local action_handlers = module:require("actions");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
299
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
300 local function new_rule(ruleset, chain)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
301 assert(chain, "no chain specified");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
302 local rule = { conditions = {}, actions = {}, deps = {} };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
303 table.insert(ruleset[chain], rule);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
304 return rule;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
305 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
306
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
307 local function parse_firewall_rules(filename)
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
308 local line_no = 0;
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
309
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
310 local function errmsg(err)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
311 return "Error compiling "..filename.." on line "..line_no..": "..err;
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
312 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
313
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
314 local ruleset = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
315 deliver = {};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
316 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
317
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
318 local chain = "deliver"; -- Default chain
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
319 local rule;
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
320
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
321 local file, err = io.open(filename);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
322 if not file then return nil, err; end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
323
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
324 local state; -- nil -> "rules" -> "actions" -> nil -> ...
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
325
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
326 local line_hold;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
327 for line in file:lines() do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
328 line = line:match("^%s*(.-)%s*$");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
329 if line_hold and line:sub(-1,-1) ~= "\\" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
330 line = line_hold..line;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
331 line_hold = nil;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
332 elseif line:sub(-1,-1) == "\\" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
333 line_hold = (line_hold or "")..line:sub(1,-2);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
334 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
335 line_no = line_no + 1;
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
336
2080
a435db77a5e5 mod_firewall: Silence warning about empty if branch [luacheck]
Kim Alvefur <zash@zash.se>
parents: 2078
diff changeset
337 if line_hold or line:find("^[#;]") then -- luacheck: ignore 542
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
338 -- No action; comment or partial line
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
339 elseif line == "" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
340 if state == "rules" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
341 return nil, ("Expected an action on line %d for preceding criteria")
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
342 :format(line_no);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
343 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
344 state = nil;
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
345 elseif not(state) and line:sub(1, 2) == "::" then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
346 chain = line:gsub("^::%s*", "");
980
aeb11522a44f mod_firewall: Fix variable name
Kim Alvefur <zash@zash.se>
parents: 971
diff changeset
347 local chain_info = chains[chain];
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
348 if not chain_info then
2364
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
349 if chain:match("^user/") then
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
350 chains[chain] = { type = "event", priority = 1, pass_return = false };
2364
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
351 else
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
352 return nil, errmsg("Unknown chain: "..chain);
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
353 end
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
354 elseif chain_info.type ~= "event" then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
355 return nil, errmsg("Only event chains supported at the moment");
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
356 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
357 ruleset[chain] = ruleset[chain] or {};
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
358 elseif not(state) and line:sub(1,1) == "%" then -- Definition (zone, limit, etc.)
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
359 local what, name = line:match("^%%%s*(%w+) +([^ :]+)");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
360 if not definition_handlers[what] then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
361 return nil, errmsg("Definition of unknown object: "..what);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
362 elseif not name or not idsafe(name) then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
363 return nil, errmsg("Invalid "..what.." name");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
364 end
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
365
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
366 local val = line:match(": ?(.*)$");
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
367 if not val and line:find(":<") then -- Read from file
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
368 local fn = line:match(":< ?(.-)%s*$");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
369 if not fn then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
370 return nil, errmsg("Unable to parse filename");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
371 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
372 local f, err = io.open(fn);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
373 if not f then return nil, errmsg(err); end
2526
b2fc41001c8e mod_firewall: Fix pattern
Matthew Wild <mwild1@gmail.com>
parents: 2525
diff changeset
374 val = f:read("*a"):gsub("\r?\n", " "):gsub("%s+$", "");
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
375 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
376 if not val then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
377 return nil, errmsg("No value given for definition");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
378 end
2550
19a182651a9b mod_firewall: Allow backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents: 2549
diff changeset
379 val = stripslashes(val);
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
380 local ok, ret = pcall(definition_handlers[what], name, val);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
381 if not ok then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
382 return nil, errmsg(ret);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
383 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
384
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
385 if not active_definitions[what] then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
386 active_definitions[what] = {};
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
387 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
388 active_definitions[what][name] = ret;
2539
1510b66a43fc mod_firewall: Allow using spaces instead of underscores in actions, as well as conditions
Matthew Wild <mwild1@gmail.com>
parents: 2538
diff changeset
389 elseif line:find("^[%w_ ]+[%.=]") then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
390 -- Action
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
391 if state == nil then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
392 -- This is a standalone action with no conditions
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
393 rule = new_rule(ruleset, chain);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
394 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
395 state = "actions";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
396 -- Action handlers?
2539
1510b66a43fc mod_firewall: Allow using spaces instead of underscores in actions, as well as conditions
Matthew Wild <mwild1@gmail.com>
parents: 2538
diff changeset
397 local action = line:match("^[%w_ ]+"):upper():gsub(" ", "_");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
398 if not action_handlers[action] then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
399 return nil, ("Unknown action on line %d: %s"):format(line_no, action or "<unknown>");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
400 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
401 table.insert(rule.actions, "-- "..line)
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
402 local ok, action_string, action_deps = pcall(action_handlers[action], line:match("=(.+)$"));
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
403 if not ok then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
404 return nil, errmsg(action_string);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
405 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
406 table.insert(rule.actions, action_string);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
407 for _, dep in ipairs(action_deps or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
408 table.insert(rule.deps, dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
409 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
410 elseif state == "actions" then -- state is actions but action pattern did not match
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
411 state = nil; -- Awaiting next rule, etc.
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
412 table.insert(ruleset[chain], rule);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
413 rule = nil;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
414 else
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
415 if not state then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
416 state = "rules";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
417 rule = new_rule(ruleset, chain);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
418 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
419 -- Check standard modifiers for the condition (e.g. NOT)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
420 local negated;
2404
9af2d36567a8 mod_firewall: Allow conditions to end with a question mark
Kim Alvefur <zash@zash.se>
parents: 2402
diff changeset
421 local condition = line:match("^[^:=%.?]*");
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
422 if condition:find("%f[%w]NOT%f[^%w]") then
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
423 local s, e = condition:match("%f[%w]()NOT()%f[^%w]");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
424 condition = (condition:sub(1,s-1)..condition:sub(e+1, -1)):match("^%s*(.-)%s*$");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
425 negated = true;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
426 end
998
6fdcebbd2284 mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents: 996
diff changeset
427 condition = condition:gsub(" ", "_");
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
428 if not condition_handlers[condition] then
998
6fdcebbd2284 mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents: 996
diff changeset
429 return nil, ("Unknown condition on line %d: %s"):format(line_no, (condition:gsub("_", " ")));
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
430 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
431 -- Get the code for this condition
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
432 local ok, condition_code, condition_deps = pcall(condition_handlers[condition], line:match(":%s?(.+)$"));
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
433 if not ok then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
434 return nil, errmsg(condition_code);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
435 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
436 if negated then condition_code = "not("..condition_code..")"; end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
437 table.insert(rule.conditions, condition_code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
438 for _, dep in ipairs(condition_deps or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
439 table.insert(rule.deps, dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
440 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
441 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
442 end
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
443 return ruleset;
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
444 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
445
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
446 local function process_firewall_rules(ruleset)
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
447 -- Compile ruleset and return complete code
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
448
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
449 local chain_handlers = {};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
450
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
451 -- Loop through the chains in the parsed ruleset (e.g. incoming, outgoing)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
452 for chain_name, rules in pairs(ruleset) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
453 local code = { included_deps = {}, global_header = {} };
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
454 local condition_uses = {};
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
455 -- This inner loop assumes chain is an event-based, not a filter-based
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
456 -- chain (filter-based will be added later)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
457 for _, rule in ipairs(rules) do
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
458 for _, condition in ipairs(rule.conditions) do
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
459 if condition:find("^not%(.+%)$") then
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
460 condition = condition:match("^not%((.+)%)$");
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
461 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
462 condition_uses[condition] = (condition_uses[condition] or 0) + 1;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
463 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
464 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
465
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
466 local condition_cache, n_conditions = {}, 0;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
467 for _, rule in ipairs(rules) do
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
468 for _, dep in ipairs(rule.deps) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
469 include_dep(dep, code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
470 end
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
471 table.insert(code, "\n\t\t");
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
472 local rule_code;
967
a88f33fe6970 mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents: 966
diff changeset
473 if #rule.conditions > 0 then
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
474 for i, condition in ipairs(rule.conditions) do
1001
c0850793b716 mod_firewall: don't use %b() (not technically correct)
Matthew Wild <mwild1@gmail.com>
parents: 999
diff changeset
475 local negated = condition:match("^not%(.+%)$");
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
476 if negated then
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
477 condition = condition:match("^not%((.+)%)$");
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
478 end
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
479 if condition_uses[condition] > 1 then
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
480 local name = condition_cache[condition];
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
481 if not name then
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
482 n_conditions = n_conditions + 1;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
483 name = "condition"..n_conditions;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
484 condition_cache[condition] = name;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
485 table.insert(code, "local "..name.." = "..condition..";\n\t\t");
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
486 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
487 rule.conditions[i] = (negated and "not(" or "")..name..(negated and ")" or "");
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
488 else
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
489 rule.conditions[i] = (negated and "not(" or "(")..condition..")";
996
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
490 end
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents: 980
diff changeset
491 end
1304
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents: 1303
diff changeset
492
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
493 rule_code = "if "..table.concat(rule.conditions, " and ").." then\n\t\t\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
494 ..table.concat(rule.actions, "\n\t\t\t")
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
495 .."\n\t\tend\n";
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
496 else
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
497 rule_code = table.concat(rule.actions, "\n\t\t");
967
a88f33fe6970 mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents: 966
diff changeset
498 end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
499 table.insert(code, rule_code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
500 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
501
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
502 for name in pairs(definition_handlers) do
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
503 table.insert(code.global_header, 1, "local "..name:lower().."s = definitions."..name..";");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
504 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
505
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
506 local code_string = "return function (definitions, fire_event, log, module, pass_return)\n\t"
1303
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
507 ..table.concat(code.global_header, "\n\t")
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
508 .."\n\tlocal db = require 'util.debug';\n\n\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
509 .."return function (event)\n\t\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
510 .."local stanza, session = event.stanza, event.origin;\n"
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
511 ..table.concat(code, "")
8a3f3f485675 mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents: 1052
diff changeset
512 .."\n\tend;\nend";
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
513
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
514 chain_handlers[chain_name] = code_string;
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
515 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
516
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
517 return chain_handlers;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
518 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
519
2078
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
520 local function compile_firewall_rules(filename)
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
521 local ruleset, err = parse_firewall_rules(filename);
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
522 if not ruleset then return nil, err; end
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
523 local chain_handlers = process_firewall_rules(ruleset);
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
524 return chain_handlers;
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
525 end
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents: 2077
diff changeset
526
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
527 -- Compile handler code into a factory that produces a valid event handler. Factory accepts
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
528 -- a value to be returned on PASS
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
529 local function compile_handler(code_string, filename)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
530 -- Prepare event handler function
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
531 local chunk, err = loadstring(code_string, "="..filename);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
532 if not chunk then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
533 return nil, "Error compiling (probably a compiler bug, please report): "..err;
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
534 end
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
535 local function fire_event(name, data)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
536 return module:fire_event(name, data);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
537 end
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
538 return function (pass_return)
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
539 return chunk()(active_definitions, fire_event, logger(filename), module, pass_return); -- Returns event handler with upvalues
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
540 end
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
541 end
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
542
2366
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
543 local function resolve_script_path(script_path)
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
544 local relative_to = prosody.paths.config;
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
545 if script_path:match("^module:") then
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
546 relative_to = module.path:sub(1, -#("/mod_"..module.name..".lua"));
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
547 script_path = script_path:match("^module:(.+)$");
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
548 end
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
549 return resolve_relative_path(relative_to, script_path);
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
550 end
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
551
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
552 function module.load()
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
553 if not prosody.arg then return end -- Don't run in prosodyctl
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
554 active_definitions = {};
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
555 local firewall_scripts = module:get_option_set("firewall_scripts", {});
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
556 for script in firewall_scripts do
2366
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
557 script = resolve_script_path(script);
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
558 local chain_functions, err = compile_firewall_rules(script)
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1325
diff changeset
559
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
560 if not chain_functions then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
561 module:log("error", "Error compiling %s: %s", script, err or "unknown error");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
562 else
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
563 for chain, handler_code in pairs(chain_functions) do
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
564 local new_handler, err = compile_handler(handler_code, "mod_firewall::"..chain);
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
565 if not new_handler then
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
566 module:log("error", "Compilation error for %s: %s", script, err);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
567 else
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
568 local chain_definition = chains[chain];
1325
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
569 if chain_definition and chain_definition.type == "event" then
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
570 local handler = new_handler(chain_definition.pass_return);
1325
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
571 for _, event_name in ipairs(chain_definition) do
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
572 module:hook(event_name, handler, chain_definition.priority);
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
573 end
2070
2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
574 elseif not chain:sub(1, 5) == "user/" then
956
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents: 955
diff changeset
575 module:log("warn", "Unknown chain %q", chain);
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
576 end
2558
2b533a7b5236 mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents: 2550
diff changeset
577 module:hook("firewall/chains/"..chain, new_handler(false));
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
578 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
579 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
580 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
581 end
999
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
582 -- Replace contents of definitions table (shared) with active definitions
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
583 for k in it.keys(definitions) do definitions[k] = nil; end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents: 998
diff changeset
584 for k,v in pairs(active_definitions) do definitions[k] = v; end
947
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
585 end
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
586
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
587 function module.command(arg)
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
588 if not arg[1] or arg[1] == "--help" then
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
589 require"util.prosodyctl".show_usage([[mod_firewall <firewall.pfw>]], [[Compile files with firewall rules to Lua code]]);
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
590 return 1;
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
591 end
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
592 local verbose = arg[1] == "-v";
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
593 if verbose then table.remove(arg, 1); end
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
594
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
595 local serialize = require "util.serialization".serialize;
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
596 if verbose then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
597 print("local logger = require \"util.logger\".init;");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
598 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
599 print("local function fire_event(name, data)\n\tmodule:fire_event(name, data)\nend");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
600 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
601 end
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
602
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
603 for _, filename in ipairs(arg) do
2366
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents: 2365
diff changeset
604 filename = resolve_script_path(filename);
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
605 print("do -- File "..filename);
2365
05dae9adf778 mod_firewall: Fix for when compiling on the command line and specifying multiple files
Matthew Wild <mwild1@gmail.com>
parents: 2364
diff changeset
606 local chain_functions = assert(compile_firewall_rules(filename));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
607 if verbose then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
608 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
609 print("local active_definitions = "..serialize(active_definitions)..";");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
610 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
611 end
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
612 local c = 0;
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
613 for chain, handler_code in pairs(chain_functions) do
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
614 c = c + 1;
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
615 print("---- Chain "..chain:gsub("_", " "));
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
616 local chain_func_name = "chain_"..tostring(c).."_"..chain:gsub("%p", "_");
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
617 if not verbose then
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
618 print(("%s = %s;"):format(chain_func_name, handler_code:sub(8)));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
619 else
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
620
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
621 print(("local %s = (%s)(active_definitions, fire_event, logger(%q));"):format(chain_func_name, handler_code:sub(8), filename));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
622 print();
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
623
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
624 local chain_definition = chains[chain];
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
625 if chain_definition and chain_definition.type == "event" then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
626 for _, event_name in ipairs(chain_definition) do
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
627 print(("module:hook(%q, %s, %d);"):format(event_name, chain_func_name, chain_definition.priority or 0));
2118
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents: 2117
diff changeset
628 end
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
629 end
2367
3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents: 2366
diff changeset
630 print(("module:hook(%q, %s, %d);"):format("firewall/chains/"..chain, chain_func_name, chain_definition.priority or 0));
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
631 end
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
632
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
633 print("---- End of chain "..chain);
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
634 print();
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
635 end
2117
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents: 2113
diff changeset
636 print("end -- End of file "..filename);
1052
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
637 end
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents: 1051
diff changeset
638 end