Mercurial > prosody-modules
annotate mod_firewall/mod_firewall.lua @ 3503:882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
This deprecates the default "superuser" actor model and makes the
default equivalent to the previous "request.id".
A single actor and secret per node is supported because HTTP and
WebHooks don't normally include any authorization identity.
Allowing authentication bypass when no secret is given should be
relatively safe when the actor is unprivileged, as will be unless
explicitly configured otherwise.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 30 Mar 2019 21:16:13 +0100 |
parents | b0d92332b87f |
children | 7e8f2e36419d |
rev | line source |
---|---|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
2 local lfs = require "lfs"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local resolve_relative_path = require "core.configmanager".resolve_relative_path; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local logger = require "util.logger".init; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
5 local it = require "util.iterators"; |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
6 local set = require "util.set"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
2579
5e948d1392a5
mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents:
2578
diff
changeset
|
8 -- [definition_type] = definition_factory(param) |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
9 local definitions = module:shared("definitions"); |
2579
5e948d1392a5
mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents:
2578
diff
changeset
|
10 |
5e948d1392a5
mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents:
2578
diff
changeset
|
11 -- When a definition instance has been instantiated, it lives here |
5e948d1392a5
mod_firewall: Add some comments
Matthew Wild <mwild1@gmail.com>
parents:
2578
diff
changeset
|
12 -- [definition_type][definition_name] = definition_object |
2374
d630fa0d4dba
mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents:
2368
diff
changeset
|
13 local active_definitions = { |
d630fa0d4dba
mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents:
2368
diff
changeset
|
14 ZONE = { |
d630fa0d4dba
mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents:
2368
diff
changeset
|
15 -- Default zone that includes all local hosts |
d630fa0d4dba
mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents:
2368
diff
changeset
|
16 ["$local"] = setmetatable({}, { __index = prosody.hosts }); |
2527
5ff7eb601d60
mod_firewall: Code formatting
Matthew Wild <mwild1@gmail.com>
parents:
2526
diff
changeset
|
17 }; |
2374
d630fa0d4dba
mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
Matthew Wild <mwild1@gmail.com>
parents:
2368
diff
changeset
|
18 }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
2113
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
20 local default_chains = { |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 preroute = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 type = "event"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 "pre-message/bare", "pre-message/full", "pre-message/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 "pre-presence/bare", "pre-presence/full", "pre-presence/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 "pre-iq/bare", "pre-iq/full", "pre-iq/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 deliver = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 type = "event"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 "message/bare", "message/full", "message/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 "presence/bare", "presence/full", "presence/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 "iq/bare", "iq/full", "iq/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 deliver_remote = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 type = "event"; "route/remote"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 |
2113
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
41 local extra_chains = module:get_option("firewall_extra_chains", {}); |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
42 |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
43 local chains = {}; |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
44 for k,v in pairs(default_chains) do |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
45 chains[k] = v; |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
46 end |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
47 for k,v in pairs(extra_chains) do |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
48 chains[k] = v; |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
49 end |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2101
diff
changeset
|
50 |
2124
89363766202c
mod_firewall: Add comment to document idsafe()
Matthew Wild <mwild1@gmail.com>
parents:
2118
diff
changeset
|
51 -- Returns the input if it is safe to be used as a variable name, otherwise nil |
2099
a8c701631d0b
mod_firewall: Make idsafe() a global function so libraries can re-use it
Matthew Wild <mwild1@gmail.com>
parents:
2080
diff
changeset
|
52 function idsafe(name) |
2527
5ff7eb601d60
mod_firewall: Code formatting
Matthew Wild <mwild1@gmail.com>
parents:
2526
diff
changeset
|
53 return name:match("^%a[%w_]*$"); |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
54 end |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
55 |
2518
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
56 local meta_funcs = { |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
57 bare = function (code) |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
58 return "jid_bare("..code..")", {"jid_bare"}; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
59 end; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
60 node = function (code) |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
61 return "(jid_split("..code.."))", {"jid_split"}; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
62 end; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
63 host = function (code) |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
64 return "(select(2, jid_split("..code..")))", {"jid_split"}; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
65 end; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
66 resource = function (code) |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
67 return "(select(3, jid_split("..code..")))", {"jid_split"}; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
68 end; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
69 }; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
70 |
2125
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
71 -- Run quoted (%q) strings through this to allow them to contain code. e.g.: LOG=Received: $(stanza:top_tag()) |
2518
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
72 function meta(s, deps, extra) |
2385
c0c2f8665c3e
mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents:
2374
diff
changeset
|
73 return (s:gsub("$(%b())", function (expr) |
c0c2f8665c3e
mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents:
2374
diff
changeset
|
74 expr = expr:gsub("\\(.)", "%1"); |
c0c2f8665c3e
mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents:
2374
diff
changeset
|
75 return [["..tostring(]]..expr..[[).."]]; |
c0c2f8665c3e
mod_firewall: Fix for raw code expressions that contain escape-worthy characters
Matthew Wild <mwild1@gmail.com>
parents:
2374
diff
changeset
|
76 end) |
2125
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
77 :gsub("$(%b<>)", function (expr) |
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
78 expr = expr:sub(2,-2); |
2538
a1b6a6b0aabb
mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents:
2533
diff
changeset
|
79 local default = "<undefined>"; |
2561
3da0e3c917cc
mod_firewall: Accept backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents:
2558
diff
changeset
|
80 expr = expr:gsub("||(%b\"\")$", function (default_string) |
3da0e3c917cc
mod_firewall: Accept backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents:
2558
diff
changeset
|
81 default = stripslashes(default_string:sub(2,-2)); |
2538
a1b6a6b0aabb
mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents:
2533
diff
changeset
|
82 return ""; |
a1b6a6b0aabb
mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents:
2533
diff
changeset
|
83 end); |
2518
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
84 local func_chain = expr:match("|[%w|]+$"); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
85 if func_chain then |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
86 expr = expr:sub(1, -1-#func_chain); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
87 end |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
88 local code; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
89 if expr:match("^@") then |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
90 -- Skip stanza:find() for simple attribute lookup |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
91 local attr_name = expr:sub(2); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
92 if deps and (attr_name == "to" or attr_name == "from" or attr_name == "type") then |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
93 -- These attributes may be cached in locals |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
94 code = attr_name; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
95 table.insert(deps, attr_name); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
96 else |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
97 code = "stanza.attr["..("%q"):format(attr_name).."]"; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
98 end |
2524
0404476ecfe3
mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents:
2520
diff
changeset
|
99 elseif expr:match("^%w+#$") then |
0404476ecfe3
mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents:
2520
diff
changeset
|
100 code = ("stanza:get_child_text(%q)"):format(expr:sub(1, -2)); |
2368
7e1d8c46d788
mod_firewall: Support for default values in stanza paths
Matthew Wild <mwild1@gmail.com>
parents:
2367
diff
changeset
|
101 else |
2524
0404476ecfe3
mod_firewall: More meta() enhancements
Matthew Wild <mwild1@gmail.com>
parents:
2520
diff
changeset
|
102 code = ("stanza:find(%q)"):format(expr); |
2368
7e1d8c46d788
mod_firewall: Support for default values in stanza paths
Matthew Wild <mwild1@gmail.com>
parents:
2367
diff
changeset
|
103 end |
2518
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
104 if func_chain then |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
105 for func_name in func_chain:gmatch("|(%w+)") do |
2573
24dbad147aef
mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents:
2562
diff
changeset
|
106 -- to/from are already available in local variables, use those if possible |
24dbad147aef
mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents:
2562
diff
changeset
|
107 if (code == "to" or code == "from") and func_name == "bare" then |
24dbad147aef
mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents:
2562
diff
changeset
|
108 code = "bare_"..code; |
24dbad147aef
mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents:
2562
diff
changeset
|
109 table.insert(deps, code); |
24dbad147aef
mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents:
2562
diff
changeset
|
110 elseif (code == "to" or code == "from") and (func_name == "node" or func_name == "host" or func_name == "resource") then |
24dbad147aef
mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents:
2562
diff
changeset
|
111 table.insert(deps, "split_"..code); |
24dbad147aef
mod_firewall: Fix meta functions with to/from that weren't JID-based
Matthew Wild <mwild1@gmail.com>
parents:
2562
diff
changeset
|
112 code = code.."_"..func_name; |
2518
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
113 else |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
114 assert(meta_funcs[func_name], "unknown function: "..func_name); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
115 local new_code, new_deps = meta_funcs[func_name](code); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
116 code = new_code; |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
117 if new_deps and #new_deps > 0 then |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
118 assert(deps, "function not supported here: "..func_name); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
119 for _, dep in ipairs(new_deps) do |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
120 table.insert(deps, dep); |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
121 end |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
122 end |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
123 end |
0e1054c19f9d
mod_firewall: More meta! Allow simple functions to be applied to $<> expressions
Matthew Wild <mwild1@gmail.com>
parents:
2517
diff
changeset
|
124 end |
2125
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
125 end |
2538
a1b6a6b0aabb
mod_firewall: Reinstate the ability to set a default for stanza expressions
Matthew Wild <mwild1@gmail.com>
parents:
2533
diff
changeset
|
126 return "\"..tostring("..code.." or "..("%q"):format(default)..")..\""; |
2125
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
127 end) |
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
128 :gsub("$$(%a+)", extra or {}) |
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
129 :gsub([[^""%.%.]], "") |
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
130 :gsub([[%.%.""$]], "")); |
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
131 end |
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2124
diff
changeset
|
132 |
2547
eb4f45bd7fef
mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents:
2546
diff
changeset
|
133 function metaq(s, ...) |
eb4f45bd7fef
mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents:
2546
diff
changeset
|
134 return meta(("%q"):format(s), ...); |
eb4f45bd7fef
mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents:
2546
diff
changeset
|
135 end |
eb4f45bd7fef
mod_firewall: Add metaq(), like meta() but takes an unquoted string
Matthew Wild <mwild1@gmail.com>
parents:
2546
diff
changeset
|
136 |
2546
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
137 local escape_chars = { |
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
138 a = "\a", b = "\b", f = "\f", n = "\n", r = "\r", t = "\t", |
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
139 v = "\v", ["\\"] = "\\", ["\""] = "\"", ["\'"] = "\'" |
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
140 }; |
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
141 function stripslashes(s) |
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
142 return (s:gsub("\\(.)", escape_chars)); |
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
143 end |
6e4494772328
mod_firewall: Add stripslashes() function
Matthew Wild <mwild1@gmail.com>
parents:
2544
diff
changeset
|
144 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
145 -- Dependency locations: |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
146 -- <type lib> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
147 -- <type global> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
148 -- function handler() |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
149 -- <local deps> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
150 -- if <conditions> then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
151 -- <actions> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
152 -- end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
153 -- end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
154 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
155 local available_deps = { |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
156 st = { global_code = [[local st = require "util.stanza";]]}; |
2544
223eea31588d
mod_firewall: Add it(erators) and it_count dependencies
Matthew Wild <mwild1@gmail.com>
parents:
2543
diff
changeset
|
157 it = { global_code = [[local it = require "util.iterators";]]}; |
223eea31588d
mod_firewall: Add it(erators) and it_count dependencies
Matthew Wild <mwild1@gmail.com>
parents:
2543
diff
changeset
|
158 it_count = { global_code = [[local it_count = it.count;]], depends = { "it" } }; |
2548
ce08a57e516b
mod_firewall: Add 'current_host' variable/dependency
Matthew Wild <mwild1@gmail.com>
parents:
2547
diff
changeset
|
159 current_host = { global_code = [[local current_host = module.host;]] }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
160 jid_split = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
161 global_code = [[local jid_split = require "util.jid".split;]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
162 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
163 jid_bare = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
164 global_code = [[local jid_bare = require "util.jid".bare;]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 }; |
2412
9159f9166893
mod_firewall: Use the sender bare JID instead of 'to' for stanzas to self
Kim Alvefur <zash@zash.se>
parents:
2404
diff
changeset
|
166 to = { local_code = [[local to = stanza.attr.to or jid_bare(session.full_jid);]]; depends = { "jid_bare" } }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
167 from = { local_code = [[local from = stanza.attr.from;]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
168 type = { local_code = [[local type = stanza.attr.type;]] }; |
2415
07d7036040ee
mod_firewall: Insert semicolons after some statements to prevent ambiguous syntax in output (fixes #797)
Kim Alvefur <zash@zash.se>
parents:
2412
diff
changeset
|
169 name = { local_code = [[local name = stanza.name;]] }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
170 split_to = { -- The stanza's split to address |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
171 depends = { "jid_split", "to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
172 local_code = [[local to_node, to_host, to_resource = jid_split(to);]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
173 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
174 split_from = { -- The stanza's split from address |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
175 depends = { "jid_split", "from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
176 local_code = [[local from_node, from_host, from_resource = jid_split(from);]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
177 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
178 bare_to = { depends = { "jid_bare", "to" }, local_code = "local bare_to = jid_bare(to)"}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
179 bare_from = { depends = { "jid_bare", "from" }, local_code = "local bare_from = jid_bare(from)"}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
180 group_contains = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
181 global_code = [[local group_contains = module:depends("groups").group_contains]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
182 }; |
2418 | 183 is_admin = { global_code = [[local is_admin = require "core.usermanager".is_admin;]]}; |
184 core_post_stanza = { global_code = [[local core_post_stanza = prosody.core_post_stanza;]] }; | |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
185 zone = { global_code = function (zone) |
2928
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2894
diff
changeset
|
186 local var = zone; |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2894
diff
changeset
|
187 if var == "$local" then |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2894
diff
changeset
|
188 var = "_local"; -- See #1090 |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2894
diff
changeset
|
189 else |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2894
diff
changeset
|
190 assert(idsafe(var), "Invalid zone name: "..zone); |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2894
diff
changeset
|
191 end |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2894
diff
changeset
|
192 return ("local zone_%s = zones[%q] or {};"):format(var, zone); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
193 end }; |
966
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
194 date_time = { global_code = [[local os_date = os.date]]; local_code = [[local current_date_time = os_date("*t");]] }; |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
195 time = { local_code = function (what) |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
196 local defs = {}; |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
197 for field in what:gmatch("%a+") do |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
198 table.insert(defs, ("local current_%s = current_date_time.%s;"):format(field, field)); |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
199 end |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
200 return table.concat(defs, " "); |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
201 end, depends = { "date_time" }; }; |
2418 | 202 timestamp = { global_code = [[local get_time = require "socket".gettime;]]; local_code = [[local current_timestamp = get_time();]]; }; |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
203 globalthrottle = { |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
204 global_code = function (throttle) |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
205 assert(idsafe(throttle), "Invalid rate limit name: "..throttle); |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
206 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle); |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
207 return ("local global_throttle_%s = rates.%s:single();"):format(throttle, throttle); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
208 end; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
209 }; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
210 multithrottle = { |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
211 global_code = function (throttle) |
2130
9239893a2400
mod_firewall: Don't use util.cache unless it's needed, and add explanatory error if it is not available
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
212 assert(pcall(require, "util.cache"), "Using LIMIT with 'on' requires Prosody 0.10 or higher"); |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
213 assert(idsafe(throttle), "Invalid rate limit name: "..throttle); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
214 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2126
diff
changeset
|
215 return ("local multi_throttle_%s = rates.%s:multi();"):format(throttle, throttle); |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
216 end; |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
217 }; |
2402
2040330586e4
mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents:
2385
diff
changeset
|
218 rostermanager = { |
2040330586e4
mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents:
2385
diff
changeset
|
219 global_code = [[local rostermanager = require "core.rostermanager";]]; |
2040330586e4
mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents:
2385
diff
changeset
|
220 }; |
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2130
diff
changeset
|
221 roster_entry = { |
2416
ade918cd9ca7
mod_firewall: Only call rostermanager if username is available (fixes #796)
Kim Alvefur <zash@zash.se>
parents:
2415
diff
changeset
|
222 local_code = [[local roster_entry = (to_node and rostermanager.load_roster(to_node, to_host) or {})[bare_from];]]; |
2402
2040330586e4
mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents:
2385
diff
changeset
|
223 depends = { "rostermanager", "split_to", "bare_from" }; |
2040330586e4
mod_firewall: Split import of rostermanager into its own dependency
Kim Alvefur <zash@zash.se>
parents:
2385
diff
changeset
|
224 }; |
2520
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2518
diff
changeset
|
225 list = { global_code = function (list) |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2518
diff
changeset
|
226 assert(idsafe(list), "Invalid list name: "..list); |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2518
diff
changeset
|
227 assert(active_definitions.LIST[list], "Unknown list: "..list); |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2518
diff
changeset
|
228 return ("local list_%s = lists[%q];"):format(list, list); |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2518
diff
changeset
|
229 end |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2518
diff
changeset
|
230 }; |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
231 search = { |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
232 local_code = function (search_name) |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
233 local search_path = assert(active_definitions.SEARCH[search_name], "Undefined search path: "..search_name); |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
234 return ("local search_%s = tostring(stanza:find(%q) or \"\")"):format(search_name, search_path); |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
235 end; |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
236 }; |
2543
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
237 pattern = { |
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
238 local_code = function (pattern_name) |
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
239 local pattern = assert(active_definitions.PATTERN[pattern_name], "Undefined pattern: "..pattern_name); |
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
240 return ("local pattern_%s = %q"):format(pattern_name, pattern); |
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
241 end; |
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
242 }; |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
243 tokens = { |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
244 local_code = function (search_and_pattern) |
2584
d64fc9c3cffd
mod_firewall: Remove ambiguity from tokens dep parameter
Matthew Wild <mwild1@gmail.com>
parents:
2583
diff
changeset
|
245 local search_name, pattern_name = search_and_pattern:match("^([^%-]+)-(.+)$"); |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
246 local code = ([[local tokens_%s_%s = {}; |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
247 if search_%s then |
2543
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
248 for s in search_%s:gmatch(pattern_%s) do |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
249 tokens_%s_%s[s] = true; |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
250 end |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
251 end |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
252 ]]):format(search_name, pattern_name, search_name, search_name, pattern_name, search_name, pattern_name); |
2543
3c16f0a8d66c
mod_firewall: Do patterns properly, instead of cheating
Matthew Wild <mwild1@gmail.com>
parents:
2539
diff
changeset
|
253 return code, { "search:"..search_name, "pattern:"..pattern_name }; |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
254 end; |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
255 }; |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
256 scan_list = { |
2533
9aed7f4e9f07
mod_firewall: Fix scan_list() syntax error in generated code
Matthew Wild <mwild1@gmail.com>
parents:
2528
diff
changeset
|
257 global_code = [[local function scan_list(list, items) for item in pairs(items) do if list:contains(item) then return true; end end end]]; |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2527
diff
changeset
|
258 } |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
259 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
260 |
2077
368b091e723b
mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2076
diff
changeset
|
261 local function include_dep(dependency, code) |
368b091e723b
mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2076
diff
changeset
|
262 local dep, dep_param = dependency:match("^([^:]+):?(.*)$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
263 local dep_info = available_deps[dep]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
264 if not dep_info then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
265 module:log("error", "Dependency not found: %s", dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
266 return; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
267 end |
2583
b6b10f57aa56
mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents:
2580
diff
changeset
|
268 if code.included_deps[dependency] ~= nil then |
b6b10f57aa56
mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents:
2580
diff
changeset
|
269 if code.included_deps[dependency] ~= true then |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
270 module:log("error", "Circular dependency on %s", dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
271 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
272 return; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
273 end |
2583
b6b10f57aa56
mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents:
2580
diff
changeset
|
274 code.included_deps[dependency] = false; -- Pending flag (used to detect circular references) |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
275 for _, dep_dep in ipairs(dep_info.depends or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
276 include_dep(dep_dep, code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
277 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
278 if dep_info.global_code then |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
279 if dep_param ~= "" then |
2525
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
280 local global_code, deps = dep_info.global_code(dep_param); |
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
281 if deps then |
2562
78efd064aef3
mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents:
2561
diff
changeset
|
282 for _, dep_dep in ipairs(deps) do |
78efd064aef3
mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents:
2561
diff
changeset
|
283 include_dep(dep_dep, code); |
2525
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
284 end |
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
285 end |
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
286 table.insert(code.global_header, global_code); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
287 else |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
288 table.insert(code.global_header, dep_info.global_code); |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
289 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
290 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
291 if dep_info.local_code then |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
292 if dep_param ~= "" then |
2525
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
293 local local_code, deps = dep_info.local_code(dep_param); |
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
294 if deps then |
2562
78efd064aef3
mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents:
2561
diff
changeset
|
295 for _, dep_dep in ipairs(deps) do |
78efd064aef3
mod_firewall: Rename variables to avoid shadowing #luacheck
Matthew Wild <mwild1@gmail.com>
parents:
2561
diff
changeset
|
296 include_dep(dep_dep, code); |
2525
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
297 end |
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
298 end |
a35d85cfda92
mod_firewall: Fix for deps dynamically including deps
Matthew Wild <mwild1@gmail.com>
parents:
2524
diff
changeset
|
299 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..local_code.."\n"); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
300 else |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
301 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code.."\n"); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
302 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
303 end |
2583
b6b10f57aa56
mod_firewall: Fix for including the same dependency with different parameters
Matthew Wild <mwild1@gmail.com>
parents:
2580
diff
changeset
|
304 code.included_deps[dependency] = true; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
305 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
306 |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
307 local definition_handlers = module:require("definitions"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
308 local condition_handlers = module:require("conditions"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
309 local action_handlers = module:require("actions"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
310 |
2894
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2859
diff
changeset
|
311 if module:get_option_boolean("firewall_experimental_user_marks", false) then |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2859
diff
changeset
|
312 module:require"marks"; |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2859
diff
changeset
|
313 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2859
diff
changeset
|
314 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
315 local function new_rule(ruleset, chain) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
316 assert(chain, "no chain specified"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
317 local rule = { conditions = {}, actions = {}, deps = {} }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
318 table.insert(ruleset[chain], rule); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
319 return rule; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
320 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
321 |
2078
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
322 local function parse_firewall_rules(filename) |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
323 local line_no = 0; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
324 |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
325 local function errmsg(err) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
326 return "Error compiling "..filename.." on line "..line_no..": "..err; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
327 end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
328 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
329 local ruleset = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
330 deliver = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
331 }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
332 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
333 local chain = "deliver"; -- Default chain |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
334 local rule; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
335 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
336 local file, err = io.open(filename); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
337 if not file then return nil, err; end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
338 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
339 local state; -- nil -> "rules" -> "actions" -> nil -> ... |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
340 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
341 local line_hold; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
342 for line in file:lines() do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
343 line = line:match("^%s*(.-)%s*$"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
344 if line_hold and line:sub(-1,-1) ~= "\\" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
345 line = line_hold..line; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
346 line_hold = nil; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
347 elseif line:sub(-1,-1) == "\\" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
348 line_hold = (line_hold or "")..line:sub(1,-2); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
349 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
350 line_no = line_no + 1; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
351 |
2080
a435db77a5e5
mod_firewall: Silence warning about empty if branch [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2078
diff
changeset
|
352 if line_hold or line:find("^[#;]") then -- luacheck: ignore 542 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
353 -- No action; comment or partial line |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
354 elseif line == "" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
355 if state == "rules" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
356 return nil, ("Expected an action on line %d for preceding criteria") |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
357 :format(line_no); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
358 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
359 state = nil; |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
360 elseif not(state) and line:sub(1, 2) == "::" then |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
361 chain = line:gsub("^::%s*", ""); |
980 | 362 local chain_info = chains[chain]; |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
363 if not chain_info then |
2364
17d236129118
mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
364 if chain:match("^user/") then |
2558
2b533a7b5236
mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents:
2550
diff
changeset
|
365 chains[chain] = { type = "event", priority = 1, pass_return = false }; |
2364
17d236129118
mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
366 else |
17d236129118
mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
367 return nil, errmsg("Unknown chain: "..chain); |
17d236129118
mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/'
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
368 end |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
369 elseif chain_info.type ~= "event" then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
370 return nil, errmsg("Only event chains supported at the moment"); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
371 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
372 ruleset[chain] = ruleset[chain] or {}; |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
373 elseif not(state) and line:sub(1,1) == "%" then -- Definition (zone, limit, etc.) |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
374 local what, name = line:match("^%%%s*(%w+) +([^ :]+)"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
375 if not definition_handlers[what] then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
376 return nil, errmsg("Definition of unknown object: "..what); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
377 elseif not name or not idsafe(name) then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
378 return nil, errmsg("Invalid "..what.." name"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
379 end |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
380 |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
381 local val = line:match(": ?(.*)$"); |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
382 if not val and line:find(":<") then -- Read from file |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
383 local fn = line:match(":< ?(.-)%s*$"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
384 if not fn then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
385 return nil, errmsg("Unable to parse filename"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
386 end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
387 local f, err = io.open(fn); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
388 if not f then return nil, errmsg(err); end |
2526 | 389 val = f:read("*a"):gsub("\r?\n", " "):gsub("%s+$", ""); |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
390 end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
391 if not val then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
392 return nil, errmsg("No value given for definition"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
393 end |
2550
19a182651a9b
mod_firewall: Allow backslash escapes in definitions
Matthew Wild <mwild1@gmail.com>
parents:
2549
diff
changeset
|
394 val = stripslashes(val); |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
395 local ok, ret = pcall(definition_handlers[what], name, val); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
396 if not ok then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
397 return nil, errmsg(ret); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
398 end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
399 |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
400 if not active_definitions[what] then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
401 active_definitions[what] = {}; |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
402 end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
403 active_definitions[what][name] = ret; |
2539
1510b66a43fc
mod_firewall: Allow using spaces instead of underscores in actions, as well as conditions
Matthew Wild <mwild1@gmail.com>
parents:
2538
diff
changeset
|
404 elseif line:find("^[%w_ ]+[%.=]") then |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
405 -- Action |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
406 if state == nil then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
407 -- This is a standalone action with no conditions |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
408 rule = new_rule(ruleset, chain); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
409 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
410 state = "actions"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
411 -- Action handlers? |
2539
1510b66a43fc
mod_firewall: Allow using spaces instead of underscores in actions, as well as conditions
Matthew Wild <mwild1@gmail.com>
parents:
2538
diff
changeset
|
412 local action = line:match("^[%w_ ]+"):upper():gsub(" ", "_"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
413 if not action_handlers[action] then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
414 return nil, ("Unknown action on line %d: %s"):format(line_no, action or "<unknown>"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
415 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
416 table.insert(rule.actions, "-- "..line) |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
417 local ok, action_string, action_deps = pcall(action_handlers[action], line:match("=(.+)$")); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
418 if not ok then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
419 return nil, errmsg(action_string); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
420 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
421 table.insert(rule.actions, action_string); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
422 for _, dep in ipairs(action_deps or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
423 table.insert(rule.deps, dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
424 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
425 elseif state == "actions" then -- state is actions but action pattern did not match |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
426 state = nil; -- Awaiting next rule, etc. |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
427 table.insert(ruleset[chain], rule); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
428 rule = nil; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
429 else |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
430 if not state then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
431 state = "rules"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
432 rule = new_rule(ruleset, chain); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
433 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
434 -- Check standard modifiers for the condition (e.g. NOT) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
435 local negated; |
2404
9af2d36567a8
mod_firewall: Allow conditions to end with a question mark
Kim Alvefur <zash@zash.se>
parents:
2402
diff
changeset
|
436 local condition = line:match("^[^:=%.?]*"); |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
437 if condition:find("%f[%w]NOT%f[^%w]") then |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
438 local s, e = condition:match("%f[%w]()NOT()%f[^%w]"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
439 condition = (condition:sub(1,s-1)..condition:sub(e+1, -1)):match("^%s*(.-)%s*$"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
440 negated = true; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
441 end |
998
6fdcebbd2284
mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents:
996
diff
changeset
|
442 condition = condition:gsub(" ", "_"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
443 if not condition_handlers[condition] then |
998
6fdcebbd2284
mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents:
996
diff
changeset
|
444 return nil, ("Unknown condition on line %d: %s"):format(line_no, (condition:gsub("_", " "))); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
445 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
446 -- Get the code for this condition |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
447 local ok, condition_code, condition_deps = pcall(condition_handlers[condition], line:match(":%s?(.+)$")); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
448 if not ok then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
449 return nil, errmsg(condition_code); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
450 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
451 if negated then condition_code = "not("..condition_code..")"; end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
452 table.insert(rule.conditions, condition_code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
453 for _, dep in ipairs(condition_deps or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
454 table.insert(rule.deps, dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
455 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
456 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
457 end |
2078
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
458 return ruleset; |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
459 end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
460 |
2078
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
461 local function process_firewall_rules(ruleset) |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
462 -- Compile ruleset and return complete code |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
463 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
464 local chain_handlers = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
465 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
466 -- Loop through the chains in the parsed ruleset (e.g. incoming, outgoing) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
467 for chain_name, rules in pairs(ruleset) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
468 local code = { included_deps = {}, global_header = {} }; |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
469 local condition_uses = {}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
470 -- This inner loop assumes chain is an event-based, not a filter-based |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
471 -- chain (filter-based will be added later) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
472 for _, rule in ipairs(rules) do |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
473 for _, condition in ipairs(rule.conditions) do |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
474 if condition:find("^not%(.+%)$") then |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
475 condition = condition:match("^not%((.+)%)$"); |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
476 end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
477 condition_uses[condition] = (condition_uses[condition] or 0) + 1; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
478 end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
479 end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
480 |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
481 local condition_cache, n_conditions = {}, 0; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
482 for _, rule in ipairs(rules) do |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
483 for _, dep in ipairs(rule.deps) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
484 include_dep(dep, code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
485 end |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
486 table.insert(code, "\n\t\t"); |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
487 local rule_code; |
967
a88f33fe6970
mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents:
966
diff
changeset
|
488 if #rule.conditions > 0 then |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
489 for i, condition in ipairs(rule.conditions) do |
1001
c0850793b716
mod_firewall: don't use %b() (not technically correct)
Matthew Wild <mwild1@gmail.com>
parents:
999
diff
changeset
|
490 local negated = condition:match("^not%(.+%)$"); |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
491 if negated then |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
492 condition = condition:match("^not%((.+)%)$"); |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
493 end |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
494 if condition_uses[condition] > 1 then |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
495 local name = condition_cache[condition]; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
496 if not name then |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
497 n_conditions = n_conditions + 1; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
498 name = "condition"..n_conditions; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
499 condition_cache[condition] = name; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
500 table.insert(code, "local "..name.." = "..condition..";\n\t\t"); |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
501 end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
502 rule.conditions[i] = (negated and "not(" or "")..name..(negated and ")" or ""); |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
503 else |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
504 rule.conditions[i] = (negated and "not(" or "(")..condition..")"; |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
505 end |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
506 end |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
507 |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
508 rule_code = "if "..table.concat(rule.conditions, " and ").." then\n\t\t\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
509 ..table.concat(rule.actions, "\n\t\t\t") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
510 .."\n\t\tend\n"; |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
511 else |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
512 rule_code = table.concat(rule.actions, "\n\t\t"); |
967
a88f33fe6970
mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents:
966
diff
changeset
|
513 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
514 table.insert(code, rule_code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
515 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
516 |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
517 for name in pairs(definition_handlers) do |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
518 table.insert(code.global_header, 1, "local "..name:lower().."s = definitions."..name..";"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
519 end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
520 |
2558
2b533a7b5236
mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents:
2550
diff
changeset
|
521 local code_string = "return function (definitions, fire_event, log, module, pass_return)\n\t" |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
522 ..table.concat(code.global_header, "\n\t") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
523 .."\n\tlocal db = require 'util.debug';\n\n\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
524 .."return function (event)\n\t\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
525 .."local stanza, session = event.stanza, event.origin;\n" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
526 ..table.concat(code, "") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
527 .."\n\tend;\nend"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
528 |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
529 chain_handlers[chain_name] = code_string; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
530 end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
531 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
532 return chain_handlers; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
533 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
534 |
2078
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
535 local function compile_firewall_rules(filename) |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
536 local ruleset, err = parse_firewall_rules(filename); |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
537 if not ruleset then return nil, err; end |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
538 local chain_handlers = process_firewall_rules(ruleset); |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
539 return chain_handlers; |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
540 end |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
541 |
2558
2b533a7b5236
mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents:
2550
diff
changeset
|
542 -- Compile handler code into a factory that produces a valid event handler. Factory accepts |
2b533a7b5236
mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents:
2550
diff
changeset
|
543 -- a value to be returned on PASS |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
544 local function compile_handler(code_string, filename) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
545 -- Prepare event handler function |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
546 local chunk, err = loadstring(code_string, "="..filename); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
547 if not chunk then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
548 return nil, "Error compiling (probably a compiler bug, please report): "..err; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
549 end |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
550 local function fire_event(name, data) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
551 return module:fire_event(name, data); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
552 end |
2558
2b533a7b5236
mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents:
2550
diff
changeset
|
553 return function (pass_return) |
2b533a7b5236
mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents:
2550
diff
changeset
|
554 return chunk()(active_definitions, fire_event, logger(filename), module, pass_return); -- Returns event handler with upvalues |
2b533a7b5236
mod_firewall: Make PASS bubble up through all chains, and add DEFAULT and RETURN
Matthew Wild <mwild1@gmail.com>
parents:
2550
diff
changeset
|
555 end |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
556 end |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
557 |
2366
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
558 local function resolve_script_path(script_path) |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
559 local relative_to = prosody.paths.config; |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
560 if script_path:match("^module:") then |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
561 relative_to = module.path:sub(1, -#("/mod_"..module.name..".lua")); |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
562 script_path = script_path:match("^module:(.+)$"); |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
563 end |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
564 return resolve_relative_path(relative_to, script_path); |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
565 end |
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
566 |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
567 -- [filename] = { last_modified = ..., events_hooked = { [name] = handler } } |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
568 local loaded_scripts = {}; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
569 |
2574
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
570 function load_script(script) |
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
571 script = resolve_script_path(script); |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
572 local last_modified = (lfs.attributes(script) or {}).modification or os.time(); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
573 if loaded_scripts[script] then |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
574 if loaded_scripts[script].last_modified == last_modified then |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
575 return; -- Already loaded, and source file hasn't changed |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
576 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
577 module:log("debug", "Reloading %s", script); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
578 -- Already loaded, but the source file has changed |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
579 -- unload it now, and we'll load the new version below |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
580 unload_script(script, true); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
581 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
582 local chain_functions, err = compile_firewall_rules(script); |
2859
22e11645a895
mod_firewall: Trim trailing whitespace [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2585
diff
changeset
|
583 |
2574
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
584 if not chain_functions then |
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
585 module:log("error", "Error compiling %s: %s", script, err or "unknown error"); |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
586 return; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
587 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
588 |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
589 -- Loop through the chains in the script, and for each chain attach the compiled code to the |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
590 -- relevant events, keeping track in events_hooked so we can cleanly unload later |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
591 local events_hooked = {}; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
592 for chain, handler_code in pairs(chain_functions) do |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
593 local new_handler, err = compile_handler(handler_code, "mod_firewall::"..chain); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
594 if not new_handler then |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
595 module:log("error", "Compilation error for %s: %s", script, err); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
596 else |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
597 local chain_definition = chains[chain]; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
598 if chain_definition and chain_definition.type == "event" then |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
599 local handler = new_handler(chain_definition.pass_return); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
600 for _, event_name in ipairs(chain_definition) do |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
601 events_hooked[event_name] = handler; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
602 module:hook(event_name, handler, chain_definition.priority); |
2574
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
603 end |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
604 elseif not chain:sub(1, 5) == "user/" then |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
605 module:log("warn", "Unknown chain %q", chain); |
2574
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
606 end |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
607 local event_name, handler = "firewall/chains/"..chain, new_handler(false); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
608 events_hooked[event_name] = handler; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
609 module:hook(event_name, handler); |
2574
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
610 end |
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
611 end |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
612 loaded_scripts[script] = { last_modified = last_modified, events_hooked = events_hooked }; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
613 module:log("debug", "Loaded %s", script); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
614 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
615 |
2580
aaff2716f022
mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents:
2579
diff
changeset
|
616 --COMPAT w/0.9 (no module:unhook()!) |
aaff2716f022
mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents:
2579
diff
changeset
|
617 local function module_unhook(event, handler) |
aaff2716f022
mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents:
2579
diff
changeset
|
618 return module:unhook_object_event((hosts[module.host] or prosody).events, event, handler); |
aaff2716f022
mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents:
2579
diff
changeset
|
619 end |
aaff2716f022
mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents:
2579
diff
changeset
|
620 |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
621 function unload_script(script, is_reload) |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
622 script = resolve_script_path(script); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
623 local script_info = loaded_scripts[script]; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
624 if not script_info then |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
625 return; -- Script not loaded |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
626 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
627 local events_hooked = script_info.events_hooked; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
628 for event_name, event_handler in pairs(events_hooked) do |
2580
aaff2716f022
mod_firewall: Compatibility fix for 0.9 (no module:unhook())
Matthew Wild <mwild1@gmail.com>
parents:
2579
diff
changeset
|
629 module_unhook(event_name, event_handler); |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
630 events_hooked[event_name] = nil; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
631 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
632 loaded_scripts[script] = nil; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
633 if not is_reload then |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
634 module:log("debug", "Unloaded %s", script); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
635 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
636 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
637 |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
638 -- Given a set of scripts (e.g. from config) figure out which ones need to |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
639 -- be loaded, which are already loaded but need unloading, and which to reload |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
640 function load_unload_scripts(script_list) |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
641 local wanted_scripts = script_list / resolve_script_path; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
642 local currently_loaded = set.new(it.to_array(it.keys(loaded_scripts))); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
643 local scripts_to_unload = currently_loaded - wanted_scripts; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
644 for script in wanted_scripts do |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
645 -- If the script is already loaded, this is fine - it will |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
646 -- reload the script for us if the file has changed |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
647 load_script(script); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
648 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
649 for script in scripts_to_unload do |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
650 unload_script(script); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
651 end |
2574
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
652 end |
f65c5927ee8e
mod_firewall: Factor out script loading
Matthew Wild <mwild1@gmail.com>
parents:
2573
diff
changeset
|
653 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
654 function module.load() |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
655 if not prosody.arg then return end -- Don't run in prosodyctl |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
656 local firewall_scripts = module:get_option_set("firewall_scripts", {}); |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
657 load_unload_scripts(firewall_scripts); |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
658 -- Replace contents of definitions table (shared) with active definitions |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
659 for k in it.keys(definitions) do definitions[k] = nil; end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
660 for k,v in pairs(active_definitions) do definitions[k] = v; end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
661 end |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
662 |
2578
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
663 function module.save() |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
664 return { active_definitions = active_definitions, loaded_scripts = loaded_scripts }; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
665 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
666 |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
667 function module.restore(state) |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
668 active_definitions = state.active_definitions; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
669 loaded_scripts = state.loaded_scripts; |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
670 end |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
671 |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
672 module:hook_global("config-reloaded", function () |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
673 load_unload_scripts(module:get_option_set("firewall_scripts", {})); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
674 end); |
6dbd07f9a868
mod_firewall: Various improvements allowing dynamic load/reload/unload of scripts
Matthew Wild <mwild1@gmail.com>
parents:
2574
diff
changeset
|
675 |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
676 function module.command(arg) |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
677 if not arg[1] or arg[1] == "--help" then |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
678 require"util.prosodyctl".show_usage([[mod_firewall <firewall.pfw>]], [[Compile files with firewall rules to Lua code]]); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
679 return 1; |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
680 end |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
681 local verbose = arg[1] == "-v"; |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
682 if verbose then table.remove(arg, 1); end |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
683 |
2585
02c6ae745c4f
mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
684 if arg[1] == "test" then |
02c6ae745c4f
mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
685 table.remove(arg, 1); |
02c6ae745c4f
mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
686 return module:require("test")(arg); |
02c6ae745c4f
mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
687 end |
02c6ae745c4f
mod_firewall: Add 'test' subcommand to read stanzas from stdin and test them against rules
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
688 |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
689 local serialize = require "util.serialization".serialize; |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
690 if verbose then |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
691 print("local logger = require \"util.logger\".init;"); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
692 print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
693 print("local function fire_event(name, data)\n\tmodule:fire_event(name, data)\nend"); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
694 print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
695 end |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
696 |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
697 for _, filename in ipairs(arg) do |
2366
14021c93a962
mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file
Matthew Wild <mwild1@gmail.com>
parents:
2365
diff
changeset
|
698 filename = resolve_script_path(filename); |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
699 print("do -- File "..filename); |
2365
05dae9adf778
mod_firewall: Fix for when compiling on the command line and specifying multiple files
Matthew Wild <mwild1@gmail.com>
parents:
2364
diff
changeset
|
700 local chain_functions = assert(compile_firewall_rules(filename)); |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
701 if verbose then |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
702 print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
703 print("local active_definitions = "..serialize(active_definitions)..";"); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
704 print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
705 end |
2367
3ebd3cb4d7d2
mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents:
2366
diff
changeset
|
706 local c = 0; |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
707 for chain, handler_code in pairs(chain_functions) do |
2367
3ebd3cb4d7d2
mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents:
2366
diff
changeset
|
708 c = c + 1; |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
709 print("---- Chain "..chain:gsub("_", " ")); |
2367
3ebd3cb4d7d2
mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents:
2366
diff
changeset
|
710 local chain_func_name = "chain_"..tostring(c).."_"..chain:gsub("%p", "_"); |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
711 if not verbose then |
2367
3ebd3cb4d7d2
mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents:
2366
diff
changeset
|
712 print(("%s = %s;"):format(chain_func_name, handler_code:sub(8))); |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
713 else |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
714 |
2367
3ebd3cb4d7d2
mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents:
2366
diff
changeset
|
715 print(("local %s = (%s)(active_definitions, fire_event, logger(%q));"):format(chain_func_name, handler_code:sub(8), filename)); |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
716 print(); |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
717 |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
718 local chain_definition = chains[chain]; |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
719 if chain_definition and chain_definition.type == "event" then |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
720 for _, event_name in ipairs(chain_definition) do |
2367
3ebd3cb4d7d2
mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents:
2366
diff
changeset
|
721 print(("module:hook(%q, %s, %d);"):format(event_name, chain_func_name, chain_definition.priority or 0)); |
2118
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
722 end |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
723 end |
2367
3ebd3cb4d7d2
mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids
Matthew Wild <mwild1@gmail.com>
parents:
2366
diff
changeset
|
724 print(("module:hook(%q, %s, %d);"):format("firewall/chains/"..chain, chain_func_name, chain_definition.priority or 0)); |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
725 end |
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
726 |
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
727 print("---- End of chain "..chain); |
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
728 print(); |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
729 end |
2117
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2113
diff
changeset
|
730 print("end -- End of file "..filename); |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
731 end |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
732 end |