Mercurial > prosody-modules
annotate mod_firewall/README.markdown @ 2389:a753b21968c5
mod_firewall: README: Clarify that it's possible to jump to chains defined outside of the current file
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Sat, 19 Nov 2016 16:01:51 +0000 |
| parents | b6d59998dba7 |
| children | 28fbe960adcf |
| rev | line source |
|---|---|
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
1 --- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
2 labels: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
3 - 'Stage-Alpha' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
4 summary: 'A rule-based stanza filtering module' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
5 ... |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
6 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
7 ------------------------------------------------------------------------ |
| 1782 | 8 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
9 **Note:** mod\_firewall is in its very early stages. This documentation |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
10 is liable to change, and some described functionality may be missing, |
|
2375
7ad312b4cefe
mod_firewall/README: Remove mention of comments section from google code
Kim Alvefur <zash@zash.se>
parents:
2370
diff
changeset
|
11 incomplete or contain bugs. |
| 1782 | 12 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
13 ------------------------------------------------------------------------ |
| 1782 | 14 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
15 Introduction |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
16 ============ |
| 1782 | 17 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
18 A firewall is an invaluable tool in the sysadmin's toolbox. However |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
19 while low-level firewalls such as iptables and pf are incredibly good at |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
20 what they do, they are generally not able to handle application-layer |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
21 rules. |
| 1782 | 22 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
23 The goal of mod\_firewall is to provide similar services at the XMPP |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
24 layer. Based on rule scripts it can efficiently block, bounce, drop, |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
25 forward, copy, redirect stanzas and more! Furthermore all rules can be |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
26 applied and updated dynamically at runtime without restarting the |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
27 server. |
| 1782 | 28 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
29 Details |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
30 ======= |
| 1782 | 31 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
32 mod\_firewall loads one or more scripts, and compiles these to Lua code |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
33 that reacts to stanzas flowing through Prosody. The firewall script |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
34 syntax is unusual, but straightforward. |
| 1782 | 35 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
36 A firewall script is dominated by rules. Each rule has two parts: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
37 conditions, and actions. When a stanza matches all of the conditions, |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
38 all of the actions are executed in order. |
| 1782 | 39 |
| 40 Here is a simple example to block stanzas from spammer@example.com: | |
| 41 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
42 FROM: spammer@example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
43 DROP. |
| 1782 | 44 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
45 FROM is a condition, and DROP is an action. This is about as simple as |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
46 it gets. How about heading to the other extreme? Let's demonstrate |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
47 something more complex that mod\_firewall can do for you: |
| 1782 | 48 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
49 %ZONE myorganisation: staff.myorg.example, support.myorg.example |
| 1782 | 50 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
51 ENTERING: myorganisation |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
52 KIND: message |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
53 TIME: 12am-9am, 5pm-12am, Saturday, Sunday |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
54 REPLY=Sorry, I am afraid our office is closed at the moment. If you need assistance, please call our 24-hour support line on 123-456-789. |
| 1782 | 55 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
56 This rule will reply with a short message whenever someone tries to send |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
57 a message to someone at any of the hosts defined in the 'myorganisation' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
58 outside of office hours. |
| 1782 | 59 |
|
2387
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
60 Specifying rule sets |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
61 -------------------- |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
62 |
|
2387
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
63 Firewall rules should be written into text files, e.g. `ruleset.pfw` file. |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
64 One or more rule files can be specified in the configuration using: |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
65 |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
66 firewall_scripts = { "path/to/ruleset.pfw", "path/to/ruleset2.pfw" } |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
67 |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
68 If multiple files are specified and they both add rules to the same chains, |
|
5bfb2ccab2ab
mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents:
2375
diff
changeset
|
69 each file's rules will be processed in order, but the order of files is undefined. |
| 1782 | 70 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
71 Conditions |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
72 ---------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
73 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
74 All conditions must come before any action in a rule block. The |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
75 condition name is followed by a colon (':'), and the value to test for. |
| 1782 | 76 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
77 A condition can be preceded or followed by `NOT` to negate its match. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
78 For example: |
| 1782 | 79 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
80 NOT FROM: user@example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
81 KIND NOT: message |
| 1782 | 82 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
83 ### Zones |
| 1782 | 84 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
85 A 'zone' is one or more hosts or JIDs. It is possible to match when a |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
86 stanza is entering or leaving a zone, while at the same time not |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
87 matching traffic passing between JIDs in the same zone. |
| 1782 | 88 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
89 Zones are defined at the top of a script with the following syntax (they |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
90 are not part of a rule block): |
| 1782 | 91 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
92 %ZONE myzone: host1, host2, user@host3, foo.bar.example |
| 1782 | 93 |
|
2388
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
94 There is an automatic zone named `$local`, which automatically includes |
|
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
95 all of the current server's active hosts (including components). It can |
|
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
96 be used to match stanzas entering or leaving the current server. |
|
b6d59998dba7
mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents:
2387
diff
changeset
|
97 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
98 A host listed in a zone also matches all users on that host (but not |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
99 subdomains). |
| 1782 | 100 |
| 101 The following zone-matching conditions are supported: | |
| 102 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
103 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
104 ------------ ------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
105 `ENTERING` When a stanza is entering the named zone |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
106 `LEAVING` When a stanza is leaving the named zone |
| 1782 | 107 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
108 ### Stanza matching |
| 1782 | 109 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
110 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
111 ----------- ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
112 `KIND` The kind of stanza. May be 'message', 'presence' or 'iq' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
113 `TYPE` The type of stanza. This varies depending on the kind of stanza. See 'Stanza types' below for more information. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
114 `PAYLOAD` The stanza contains a child with the given namespace. Useful for determining the type of an iq request, or whether a message contains a certain extension. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
115 `INSPECT` The node at the specified path exists or matches a given string. This allows you to look anywhere inside a stanza. See below for examples and more. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
116 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
117 #### Stanza types |
| 1782 | 118 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
119 Stanza Valid types |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
120 ---------- ------------------------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
121 iq get, set, result, error |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
122 presence *available*, unavailable, probe, subscribe, subscribed, unsubscribe, unsubscribed, error |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
123 message normal, chat, groupchat, headline, error |
| 1782 | 124 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
125 **Note:** The type 'available' for presence does not actually appear in |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
126 the protocol. Available presence is signalled by the omission of a type. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
127 Similarly, a message stanza with no type is equivalent to one of type |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
128 'normal'. mod\_firewall handles these cases for you automatically. |
| 1782 | 129 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
130 #### INSPECT |
| 1782 | 131 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
132 INSPECT takes a 'path' through the stanza to get a string (an attribute |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
133 value or text content). An example is the best way to explain. Let's |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
134 check that a user is not trying to register an account with the username |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
135 'admin'. This stanza comes from [XEP-0077: In-band |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
136 Registration](http://xmpp.org/extensions/xep-0077.html#example-4): |
| 1782 | 137 |
|
2002
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
138 ``` xml |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
139 <iq type='set' id='reg2'> |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
140 <query xmlns='jabber:iq:register'> |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
141 <username>bill</username> |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
142 <password>Calliope</password> |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
143 <email>bard@shakespeare.lit</email> |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
144 </query> |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
145 </iq> |
|
ce991c678370
mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
146 ``` |
| 1782 | 147 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
148 KIND: iq |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
149 TYPE: set |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
150 PAYLOAD: jabber:iq:register |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
151 INSPECT: {jabber:iq:register}query/username#=admin |
|
2360
97e63e8f0f32
mod_firewall: README: Fix example usage of BOUNCE
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
152 BOUNCE=not-allowed (The username 'admin' is reserved.) |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
153 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
154 That weird string deserves some explanation. It is a path, divided into |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
155 segments by '/'. Each segment describes an element by its name, |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
156 optionally prefixed by its namespace in curly braces ('{...}'). If the |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
157 path ends with a '\#' then the text content of the last element will be |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
158 returned. If the path ends with '@name' then the value of the attribute |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
159 'name' will be returned. |
| 1782 | 160 |
|
2110
c26b28c65d47
mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents:
2108
diff
changeset
|
161 You can use INSPECT to test for the existence of an element or attribute, |
|
c26b28c65d47
mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents:
2108
diff
changeset
|
162 or you can see if it is equal to a string by appending `=STRING` (as in the |
|
c26b28c65d47
mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents:
2108
diff
changeset
|
163 example above). Finally,you can also test whether it matches a given Lua |
|
c26b28c65d47
mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents:
2108
diff
changeset
|
164 pattern by using `~=PATTERN`. |
|
c26b28c65d47
mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents:
2108
diff
changeset
|
165 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
166 INSPECT is somewhat slower than the other stanza matching conditions. To |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
167 minimise performance impact, always place it below other faster |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
168 condition checks where possible (e.g. above we first checked KIND, TYPE |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
169 and PAYLOAD matched before INSPECT). |
| 1782 | 170 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
171 ### Sender/recipient matching |
| 1782 | 172 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
173 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
174 ----------- ------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
175 `FROM` The JID in the 'from' attribute matches the given JID |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
176 `TO` The JID in the 'to' attribute matches the given JID |
| 1782 | 177 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
178 These conditions both accept wildcards in the JID when the wildcard |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
179 expression is enclosed in angle brackets ('\<...\>'). For example: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
180 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
181 # All users at example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
182 FROM: <*>@example.com |
| 1782 | 183 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
184 # The user 'admin' on any subdomain of example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
185 FROM: admin@<*.example.com> |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
186 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
187 You can also use [Lua's pattern |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
188 matching](http://www.lua.org/manual/5.1/manual.html#5.4.1) for more |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
189 powerful matching abilities. Patterns are a lightweight |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
190 regular-expression alternative. Simply contain the pattern in double |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
191 angle brackets. The pattern is automatically anchored at the start and |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
192 end (so it must match the entire portion of the JID). |
| 1782 | 193 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
194 # Match admin@example.com, and admin1@example.com, etc. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
195 FROM: <<admin%d*>>@example.com |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
196 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
197 **Note:** It is important to know that 'example.com' is a valid JID on |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
198 its own, and does **not** match 'user@example.com'. To perform domain |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
199 whitelists or blacklists, use Zones. |
| 1782 | 200 |
| 2047 | 201 Condition Matches |
| 202 ---------------- --------------------------------------------------------------- | |
| 203 `FROM_EXACTLY` The JID in the 'from' attribute exactly matches the given JID | |
| 204 `TO_EXACTLY` The JID in the 'to' attribute exactly matches the given JID | |
|
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
205 |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
206 These additional conditions do not support pattern matching, but are |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
207 useful to match the exact to/from address on a stanza. For example, if |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
208 no resource is specified then only bare JIDs will be matched. TO and FROM |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
209 match all resources if no resource is specified to match. |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2002
diff
changeset
|
210 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
211 **Note:** Some chains execute before Prosody has performed any |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
212 normalisation or validity checks on the to/from JIDs on an incoming |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
213 stanza. It is not advisable to perform access control or similar rules |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
214 on JIDs in these chains (see the chain documentation for more info). |
| 1782 | 215 |
|
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
216 ### Roster |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
217 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
218 These functions access the roster of the recipient (only). Therefore they cannot (currently) |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
219 be used in some chains, such as for outgoing messages (the recipient may be on another server). |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
220 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
221 Performance note: this check can potentially cause storage access (especially if the recipient |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
222 is currently offline), so you may want to limit its use in high-traffic situations, and place |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
223 it below other checks (such as a rate limiter). |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
224 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
225 #### IN_ROSTER |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
226 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
227 Tests whether the sender is in the recipient's roster. |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
228 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
229 IN_ROSTER: yes |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
230 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
231 #### IN_ROSTER_GROUP |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
232 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
233 Tests whether the sender is in the recipient's roster, and in the named group. |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
234 |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
235 IN_ROSTER_GROUP: Friends |
|
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2114
diff
changeset
|
236 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
237 ### Time and date |
| 1782 | 238 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
239 #### TIME |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
240 |
| 1782 | 241 Matches stanzas sent during certain time periods. |
| 242 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
243 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
244 ----------- ------------------------------------------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
245 TIME When the current server local time is within one of the comma-separated time ranges given |
| 1782 | 246 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
247 TIME: 10pm-6am, 14:00-15:00 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
248 REPLY=Zzzz. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
249 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
250 #### DAY |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
251 |
| 1782 | 252 It is also possible to match only on certain days of the week. |
| 253 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
254 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
255 ----------- ----------------------------------------------------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
256 DAY When the current day matches one, or falls within a rage, in the given comma-separated list of days |
| 1782 | 257 |
| 258 Example: | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
259 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
260 DAY: Sat-Sun, Wednesday |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
261 REPLY=Sorry, I'm out enjoying life! |
| 1782 | 262 |
|
2102
2c225b4b93d2
mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents:
2096
diff
changeset
|
263 All times and dates are handled in the server's local time. |
|
2c225b4b93d2
mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents:
2096
diff
changeset
|
264 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
265 ### Rate-limiting |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
266 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
267 It is possible to selectively rate-limit stanzas, and use rules to |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
268 decide what to do with stanzas when over the limit. |
| 1782 | 269 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
270 First, you must define any rate limits that you are going to use in your |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
271 script. Here we create a limiter called 'normal' that will allow 2 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
272 stanzas per second, and then we define a rule to bounce messages when |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
273 over this limit. Note that the `RATE` definition is not part of a rule |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
274 (multiple rules can share the same limiter). |
| 1782 | 275 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
276 %RATE normal: 2 (burst 3) |
| 1782 | 277 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
278 KIND: message |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
279 LIMIT: normal |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
280 BOUNCE=policy-violation (Sending too fast!) |
| 1782 | 281 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
282 The 'burst' parameter on the rate limit allows you to spread the limit |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
283 check over a given time period. For example the definition shown above |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
284 will allow the limit to be temporarily surpassed, as long as it is |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
285 within the limit after 3 seconds. You will almost always want to specify |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
286 a burst factor. |
| 1782 | 287 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
288 Both the rate and the burst can be fractional values. For example a rate |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
289 of 0.1 means only one event is allowed every 10 seconds. |
| 1782 | 290 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
291 The LIMIT condition actually does two things; first it counts against |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
292 the given limiter, and then it checks to see if the limiter over its |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
293 limit yet. If it is, the condition matches, otherwise it will not. |
| 1782 | 294 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
295 Condition Matches |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
296 ----------- -------------------------------------------------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
297 `LIMIT` When the named limit is 'used up'. Using this condition automatically counts against that limit. |
| 1782 | 298 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
299 **Note:** Reloading mod\_firewall resets the current state of any |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
300 limiters. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
301 |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
302 #### Dynamic limits |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
303 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
304 Sometimes you may want to have multiple throttles in a single condition, using some property of the session or stanza |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
305 to determine which throttle to use. For example, you might have a limit for incoming stanzas, but you want to limit by |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
306 sending JID, instead of all incoming stanzas sharing the same limit. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
307 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
308 You can use the 'on' keyword for this, like so: |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
309 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
310 LIMIT: normal on EXPRESSION |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
311 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
312 For more information on expressions, see the section later in this document. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
313 |
|
2370
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
314 Each value of 'EXPRESSION' has to be tracked individually in a table, which uses a small amount of memory. To prevent |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
315 memory exhaustion, the number of tracked values is limited to 1000 by default. You can override this by setting the |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
316 maximum number of table entries when you define the rate: |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
317 |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
318 %RATE normal: 2 (burst 3) (entries 4096) |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
319 |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
320 Old values are automatically removed from the tracking table. However if the tracking table becomes full, new entries |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
321 will be rejected - it will behave as if the rate limit was reached, even for values that have not been seen before. Since |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
322 this opens up a potential denial of service (innocent users may be affected if malicious users can fill up the tracking |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
323 table within the limit period). You can choose to instead "fail open", and allow the rate limit to be temporarily bypassed |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
324 when the table is full. To choose this behaviour, add `(allow overflow)` to the RATE definition. |
|
5fe483b73fd2
mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents:
2369
diff
changeset
|
325 |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
326 ### Session marking |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
327 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
328 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
329 `ORIGIN_MARKED` condition. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
330 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
331 Condition Description |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
332 ------------------------------- --------------------------------------------------------------- |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
333 ORIGIN_MARKED: markname Matches if the origin has been marked with 'markname'. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
334 ORIGIN_MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
335 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
336 Example usage: |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
337 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
338 # This rule drops messages from sessions that have been marked as spammers in the past hour |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
339 ORIGIN_MARKED: spammer (3600s) |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
340 DROP. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
341 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
342 # This rule marks the origin session as a spammer if they send a message to a honeypot JID |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
343 KIND: message |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
344 TO: honeypot@example.com |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
345 MARK_ORIGIN=spammer |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
346 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
347 Actions |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
348 ------- |
| 1782 | 349 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
350 Actions come after all conditions in a rule block. There must be at |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
351 least one action, though conditions are optional. |
| 1782 | 352 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
353 An action without parameters ends with a full-stop/period ('.'), and one |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
354 with parameters uses an equals sign ('='): |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
355 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
356 # An action with no parameters: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
357 DROP. |
| 1782 | 358 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
359 # An action with a parameter: |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
360 REPLY=Hello, this is a reply. |
| 1782 | 361 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
362 ### Route modification |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
363 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
364 The most common actions modify the stanza's route in some way. Currently |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
365 the first matching rule to do so will halt further processing of actions |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
366 and rules (this may change in the future). |
| 1782 | 367 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
368 Action Description |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
369 ----------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
370 `PASS.` Stop executing actions and rules on this stanza, and let it through this chain. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
371 `DROP.` Stop executing actions and rules on this stanza, and discard it. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
372 `REDIRECT=jid` Redirect the stanza to the given JID. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
373 `REPLY=text` Reply to the stanza (assumed to be a message) with the given text. |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
374 `BOUNCE.` Bounce the stanza with the default error (usually service-unavailable) |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
375 `BOUNCE=error` Bounce the stanza with the given error (MUST be a defined XMPP stanza error, see [RFC6120](http://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions). |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
376 `BOUNCE=error (text)` As above, but include the supplied human-readable text with a description of the error |
|
2092
f5d78bc016a6
mod_firewall: README: Add warning about COPY action's ability to cause loops (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2047
diff
changeset
|
377 `COPY=jid` Make a copy of the stanza and send the copy to the specified JID. The copied stanza flows through Prosody's routing code, and as such is affected by firewall rules. Be careful to avoid loops. |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
378 |
|
2095
3b4a6d255d7a
mod_firewall: README: Add note about BOUNCE and error stanzas/iq results
Matthew Wild <mwild1@gmail.com>
parents:
2093
diff
changeset
|
379 **Note:** It is incorrect behaviour to reply to an 'error' stanza with another error, so BOUNCE will simply act the same as 'DROP' for stanzas that should not be bounced (error stanzas and iq results). |
|
3b4a6d255d7a
mod_firewall: README: Add note about BOUNCE and error stanzas/iq results
Matthew Wild <mwild1@gmail.com>
parents:
2093
diff
changeset
|
380 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
381 ### Stanza modification |
| 1782 | 382 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
383 These actions make it possible to modify the content and structure of a |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
384 stanza. |
| 1782 | 385 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
386 Action Description |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
387 ------------------------ ------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
388 `STRIP=name` Remove any child elements with the given name in the default namespace |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
389 `STRIP=name namespace` Remove any child elements with the given name and the given namespace |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
390 `INJECT=xml` Inject the given XML into the stanza as a child element |
| 1782 | 391 |
|
2108
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
392 ### Sessions |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
393 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
394 It is possible to mark sessions, and then use these marks to match rules later on. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
395 |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
396 Action Description |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
397 ------------------------ -------------------------------------------------------------------------- |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
398 `MARK_ORIGIN=mark` Marks the originating session with the given flag. |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
399 `UNMARK_ORIGIN=mark` Removes the given mark from the origin session (if it is set). |
|
573fe9825fba
mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
400 |
|
2114
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
401 **Note:** Marks apply to sessions, not JIDs. E.g. if marking in a rule that matches a stanza received |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
402 over s2s, it is the s2s session that is marked. |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
403 |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
404 It is possible to have multiple marks on an origin at any given time. |
|
ce3dd93f30d9
mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
405 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
406 ### Informational |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
407 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
408 Action Description |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
409 --------------- ------------------------------------------------------------------------------------------------------------------------ |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
410 `LOG=message` Logs the given message to Prosody's log file. Optionally prefix it with a log level in square brackets, e.g. `[debug]` |
|
2093
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
411 |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
412 You can include expressions in log messages, using `$(...)` syntax. For example, to log the stanza that matched the rule, you can use $(stanza), |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
413 or to log just the top tag of the stanza, use $(stanza:top_tag()). |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
414 |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
415 Example: |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
416 |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
417 # Log all stanzas to user@example.com: |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
418 TO: user@example.com |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
419 LOG=[debug] User received: $(stanza) |
|
7b9520479e99
mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents:
2092
diff
changeset
|
420 |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
421 More info about expressions can be found below. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
422 |
|
2096
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
423 Chains |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
424 ------ |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
425 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
426 Rules are grouped into "chains", which are injected at particular points in Prosody's routing code. |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
427 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
428 Available chains are: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
429 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
430 Chain Description |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
431 -------------- ------------------------------------------------------------------------------------------- |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
432 deliver Applies to stanzas delivered to local recipients (regardless of the stanza's origin) |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
433 deliver_remote Applies to stanzas delivered to remote recipients (just before they leave the local server) |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
434 preroute Applies to incoming stanzas from local users, before any routing rules are applied |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
435 |
|
2111
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
436 A chain is begun by a line `::name` where 'name' is the name of the chain you want the following rules to be |
|
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
437 inserted into. If no chain is specified, rules are put into the 'deliver' chain. |
|
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
438 |
|
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
439 It is possible to create custom chains (useful with the JUMP_CHAIN action described below). User-created |
|
4e434abaf8fc
mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents:
2110
diff
changeset
|
440 chains must begin with "user/", e.g. "user/spam_filtering". |
|
2096
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
441 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
442 Example of chain use: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
443 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
444 # example.com's firewall script |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
445 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
446 # This line is optional, because 'deliver' is the default chain anyway: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
447 ::deliver |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
448 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
449 # This rule matches any stanzas delivered to our local user bob: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
450 TO: bob@example.com |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
451 DROP. |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
452 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
453 # Oops! This rule will never match, because alice is not a local user, |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
454 # and only stanzas to local users go through the 'deliver' chain: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
455 TO: alice@remote.example.com |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
456 DROP. |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
457 |
|
2104
384fb28452b9
mod_firewall: README: Improve chain usage example comments
Matthew Wild <mwild1@gmail.com>
parents:
2103
diff
changeset
|
458 # Create a 'preroute' chain of rules (matched for incoming stanzas from local clients): |
|
2096
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
459 ::preroute |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
460 # These rules are matched for outgoing stanzas from local clients |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
461 |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
462 # This will match any stanzas sent to alice from a local user: |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
463 TO: alice@remote.example.com |
|
b75d29a162cd
mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents:
2095
diff
changeset
|
464 DROP. |
|
2105
f2d5aa789646
mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
465 |
|
f2d5aa789646
mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
466 Action Description |
|
f2d5aa789646
mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
467 ------------------------ ------------------------------------------------------------------------ |
|
f2d5aa789646
mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
468 `JUMP_CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing. |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
469 |
|
2389
a753b21968c5
mod_firewall: README: Clarify that it's possible to jump to chains defined outside of the current file
Matthew Wild <mwild1@gmail.com>
parents:
2388
diff
changeset
|
470 It is possible to jump to chains defined by other scripts and modules. |
|
a753b21968c5
mod_firewall: README: Clarify that it's possible to jump to chains defined outside of the current file
Matthew Wild <mwild1@gmail.com>
parents:
2388
diff
changeset
|
471 |
|
2369
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
472 Expressions |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
473 ----------- |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
474 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
475 Some conditions and actions in rules support "expressions" in their parameters (their documentation will indicate if this is the case). Most parameters |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
476 are static once the firewall script is loaded and compiled internally, however parameters that allow expressions can be dynamically calculated when a |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
477 rule is being run. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
478 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
479 There are two kinds of expression that you can use: stanza expressions, and code expressions. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
480 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
481 Stanza expressions are of the form `$<...>`, where `...` is a stanza path. For syntax of stanza paths, see the documentation for the 'INSPECT' condition |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
482 above. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
483 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
484 Example: |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
485 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
486 LOG=Matched a stanza from $<@from> to $<@to> |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
487 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
488 If the path does not match (e.g. the element isn't found, or the attribute doesn't exist) it will return the text `<undefined>`. You can override this |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
489 by specifying an alternative default value, using the syntax `$<path||default>`. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
490 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
491 Code expressions use `$(...)` syntax. Code expressions are powerful, and allow unconstrained access to Prosody's internal environment. Therefore |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
492 code expressions are typically for advanced use-cases only. You may want to refer to Prosody's [developer documentation](https://prosody.im/doc/developers) |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
493 for more information. In particular, within code expressions you may access the 'session' object, which is the session object of the origin of the stanza, |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
494 and the 'stanza' object, which is the stanza being considered within the current rule. Whatever value the expression returns will be converted to a string. |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
495 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
496 Example to limit stanzas per session type: |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
497 |
|
2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents:
2360
diff
changeset
|
498 LIMIT: normal on $(session.type) |