prosody-modules: mod_firewall/mod

annotate mod_firewall/mod_firewall.lua @ 2494:d300ae5dba87

mod_smacks: Fix some bugs with smacks-ack-delayed event triggering. The old code had several flaws which are addressed here. First of all this fixes the if statement guarding the event generation There where some timing glitches addressed by this commit as well.

author	tmolitor <thilo@eightysoft.de>
date	Sun, 12 Feb 2017 21:23:22 +0100
parents	01babf1caa4a
children	3990b1bca308

rev	line source
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	1
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	2 local resolve_relative_path = require "core.configmanager".resolve_relative_path;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	3 local logger = require "util.logger".init;
971 53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	4 local it = require "util.iterators";
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	5
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	6 local definitions = module:shared("definitions");
2374 d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically) Matthew Wild <mwild1@gmail.com> parents: 2368 diff changeset	7 local active_definitions = {
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically) Matthew Wild <mwild1@gmail.com> parents: 2368 diff changeset	8 ZONE = {
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically) Matthew Wild <mwild1@gmail.com> parents: 2368 diff changeset	9 -- Default zone that includes all local hosts
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically) Matthew Wild <mwild1@gmail.com> parents: 2368 diff changeset	10 ["$local"] = setmetatable({}, { __index = prosody.hosts });
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically) Matthew Wild <mwild1@gmail.com> parents: 2368 diff changeset	11 }
d630fa0d4dba mod_firewall: Add default zone called '$local' containing all local hosts (dynamically) Matthew Wild <mwild1@gmail.com> parents: 2368 diff changeset	12 };
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	13
2113 d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	14 local default_chains = {
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	15 preroute = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	16 type = "event";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	17 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	18 "pre-message/bare", "pre-message/full", "pre-message/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	19 "pre-presence/bare", "pre-presence/full", "pre-presence/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	20 "pre-iq/bare", "pre-iq/full", "pre-iq/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	21 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	22 deliver = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	23 type = "event";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	24 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	25 "message/bare", "message/full", "message/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	26 "presence/bare", "presence/full", "presence/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	27 "iq/bare", "iq/full", "iq/host";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	28 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	29 deliver_remote = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	30 type = "event"; "route/remote";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	31 priority = 0.1;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	32 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	33 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	34
2113 d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	35 local extra_chains = module:get_option("firewall_extra_chains", {});
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	36
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	37 local chains = {};
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	38 for k,v in pairs(default_chains) do
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	39 chains[k] = v;
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	40 end
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	41 for k,v in pairs(extra_chains) do
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	42 chains[k] = v;
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	43 end
d75145297bf9 mod_firewall: Support for defining extra chains in the config file Matthew Wild <mwild1@gmail.com> parents: 2101 diff changeset	44
2124 89363766202c mod_firewall: Add comment to document idsafe() Matthew Wild <mwild1@gmail.com> parents: 2118 diff changeset	45 -- Returns the input if it is safe to be used as a variable name, otherwise nil
2099 a8c701631d0b mod_firewall: Make idsafe() a global function so libraries can re-use it Matthew Wild <mwild1@gmail.com> parents: 2080 diff changeset	46 function idsafe(name)
a8c701631d0b mod_firewall: Make idsafe() a global function so libraries can re-use it Matthew Wild <mwild1@gmail.com> parents: 2080 diff changeset	47 return name:match("^%a[%w_]*$")
971 53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	48 end
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	49
2125 edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	50 -- Run quoted (%q) strings through this to allow them to contain code. e.g.: LOG=Received: $(stanza:top_tag())
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	51 function meta(s, extra)
2385 c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters Matthew Wild <mwild1@gmail.com> parents: 2374 diff changeset	52 return (s:gsub("$(%b())", function (expr)
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters Matthew Wild <mwild1@gmail.com> parents: 2374 diff changeset	53 expr = expr:gsub("\\(.)", "%1");
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters Matthew Wild <mwild1@gmail.com> parents: 2374 diff changeset	54 return [["..tostring(]]..expr..[[).."]];
c0c2f8665c3e mod_firewall: Fix for raw code expressions that contain escape-worthy characters Matthew Wild <mwild1@gmail.com> parents: 2374 diff changeset	55 end)
2125 edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	56 :gsub("$(%b<>)", function (expr)
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	57 expr = expr:sub(2,-2);
2368 7e1d8c46d788 mod_firewall: Support for default values in stanza paths Matthew Wild <mwild1@gmail.com> parents: 2367 diff changeset	58 local default = expr:match("\|\|([^\|]+)$");
7e1d8c46d788 mod_firewall: Support for default values in stanza paths Matthew Wild <mwild1@gmail.com> parents: 2367 diff changeset	59 if default then
7e1d8c46d788 mod_firewall: Support for default values in stanza paths Matthew Wild <mwild1@gmail.com> parents: 2367 diff changeset	60 expr = expr:sub(1, -(#default+2));
7e1d8c46d788 mod_firewall: Support for default values in stanza paths Matthew Wild <mwild1@gmail.com> parents: 2367 diff changeset	61 else
7e1d8c46d788 mod_firewall: Support for default values in stanza paths Matthew Wild <mwild1@gmail.com> parents: 2367 diff changeset	62 default = "<undefined>";
7e1d8c46d788 mod_firewall: Support for default values in stanza paths Matthew Wild <mwild1@gmail.com> parents: 2367 diff changeset	63 end
2125 edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	64 if expr:match("^@") then
2368 7e1d8c46d788 mod_firewall: Support for default values in stanza paths Matthew Wild <mwild1@gmail.com> parents: 2367 diff changeset	65 return "\"..(stanza.attr["..("%q"):format(expr:sub(2)).."] or "..("%q"):format(default)..")..\"";
2125 edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	66 end
2464 01babf1caa4a mod_firewall: Fix $<> expressions being truncated when compiled Matthew Wild <mwild1@gmail.com> parents: 2418 diff changeset	67 return "\"..(stanza:find("..("%q"):format(expr)..") or "..("%q"):format(default)..")..\"";
2125 edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	68 end)
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	69 :gsub("$$(%a+)", extra or {})
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	70 :gsub([[^""%.%.]], "")
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	71 :gsub([[%.%.""$]], ""));
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	72 end
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	73
edf5cf3c474b mod_firewall: Move meta() function to main module, and make it a global so libs can use it Matthew Wild <mwild1@gmail.com> parents: 2124 diff changeset	74
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	75 -- Dependency locations:
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	76 -- <type lib>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	77 -- <type global>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	78 -- function handler()
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	79 -- <local deps>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	80 -- if <conditions> then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	81 -- <actions>
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	82 -- end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	83 -- end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	84
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	85 local available_deps = {
1303 8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	86 st = { global_code = [[local st = require "util.stanza";]]};
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	87 jid_split = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	88 global_code = [[local jid_split = require "util.jid".split;]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	89 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	90 jid_bare = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	91 global_code = [[local jid_bare = require "util.jid".bare;]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	92 };
2412 9159f9166893 mod_firewall: Use the sender bare JID instead of 'to' for stanzas to self Kim Alvefur <zash@zash.se> parents: 2404 diff changeset	93 to = { local_code = [[local to = stanza.attr.to or jid_bare(session.full_jid);]]; depends = { "jid_bare" } };
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	94 from = { local_code = [[local from = stanza.attr.from;]] };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	95 type = { local_code = [[local type = stanza.attr.type;]] };
2415 07d7036040ee mod_firewall: Insert semicolons after some statements to prevent ambiguous syntax in output (fixes #797) Kim Alvefur <zash@zash.se> parents: 2412 diff changeset	96 name = { local_code = [[local name = stanza.name;]] };
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	97 split_to = { -- The stanza's split to address
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	98 depends = { "jid_split", "to" };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	99 local_code = [[local to_node, to_host, to_resource = jid_split(to);]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	100 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	101 split_from = { -- The stanza's split from address
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	102 depends = { "jid_split", "from" };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	103 local_code = [[local from_node, from_host, from_resource = jid_split(from);]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	104 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	105 bare_to = { depends = { "jid_bare", "to" }, local_code = "local bare_to = jid_bare(to)"};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	106 bare_from = { depends = { "jid_bare", "from" }, local_code = "local bare_from = jid_bare(from)"};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	107 group_contains = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	108 global_code = [[local group_contains = module:depends("groups").group_contains]];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	109 };
2418 ef95853cf900 mod_firewall: More semicolons Kim Alvefur <zash@zash.se> parents: 2416 diff changeset	110 is_admin = { global_code = [[local is_admin = require "core.usermanager".is_admin;]]};
ef95853cf900 mod_firewall: More semicolons Kim Alvefur <zash@zash.se> parents: 2416 diff changeset	111 core_post_stanza = { global_code = [[local core_post_stanza = prosody.core_post_stanza;]] };
965 d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	112 zone = { global_code = function (zone)
971 53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	113 assert(idsafe(zone), "Invalid zone name: "..zone);
965 d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	114 return ("local zone_%s = zones[%q] or {};"):format(zone, zone);
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	115 end };
966 a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	116 date_time = { global_code = [[local os_date = os.date]]; local_code = [[local current_date_time = os_date("*t");]] };
a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	117 time = { local_code = function (what)
a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	118 local defs = {};
a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	119 for field in what:gmatch("%a+") do
a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	120 table.insert(defs, ("local current_%s = current_date_time.%s;"):format(field, field));
a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	121 end
a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	122 return table.concat(defs, " ");
a65df6e97d94 mod_firewall: Add time and date deps Matthew Wild <mwild1@gmail.com> parents: 965 diff changeset	123 end, depends = { "date_time" }; };
2418 ef95853cf900 mod_firewall: More semicolons Kim Alvefur <zash@zash.se> parents: 2416 diff changeset	124 timestamp = { global_code = [[local get_time = require "socket".gettime;]]; local_code = [[local current_timestamp = get_time();]]; };
2128 21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	125 globalthrottle = {
971 53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	126 global_code = function (throttle)
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	127 assert(idsafe(throttle), "Invalid rate limit name: "..throttle);
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	128 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle);
2128 21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	129 return ("local global_throttle_%s = rates.%s:single();"):format(throttle, throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	130 end;
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	131 };
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	132 multithrottle = {
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	133 global_code = function (throttle)
2130 9239893a2400 mod_firewall: Don't use util.cache unless it's needed, and add explanatory error if it is not available Matthew Wild <mwild1@gmail.com> parents: 2128 diff changeset	134 assert(pcall(require, "util.cache"), "Using LIMIT with 'on' requires Prosody 0.10 or higher");
2128 21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	135 assert(idsafe(throttle), "Invalid rate limit name: "..throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	136 assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle);
21bc4d7cddae mod_firewall: Add support for throttling based on user-defined properties (experimental) Matthew Wild <mwild1@gmail.com> parents: 2126 diff changeset	137 return ("local multi_throttle_%s = rates.%s:multi();"):format(throttle, throttle);
971 53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	138 end;
53e158e44a44 mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables Matthew Wild <mwild1@gmail.com> parents: 967 diff changeset	139 };
2402 2040330586e4 mod_firewall: Split import of rostermanager into its own dependency Kim Alvefur <zash@zash.se> parents: 2385 diff changeset	140 rostermanager = {
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency Kim Alvefur <zash@zash.se> parents: 2385 diff changeset	141 global_code = [[local rostermanager = require "core.rostermanager";]];
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency Kim Alvefur <zash@zash.se> parents: 2385 diff changeset	142 };
2342 6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group) Matthew Wild <mwild1@gmail.com> parents: 2130 diff changeset	143 roster_entry = {
2416 ade918cd9ca7 mod_firewall: Only call rostermanager if username is available (fixes #796) Kim Alvefur <zash@zash.se> parents: 2415 diff changeset	144 local_code = [[local roster_entry = (to_node and rostermanager.load_roster(to_node, to_host) or {})[bare_from];]];
2402 2040330586e4 mod_firewall: Split import of rostermanager into its own dependency Kim Alvefur <zash@zash.se> parents: 2385 diff changeset	145 depends = { "rostermanager", "split_to", "bare_from" };
2040330586e4 mod_firewall: Split import of rostermanager into its own dependency Kim Alvefur <zash@zash.se> parents: 2385 diff changeset	146 };
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	147 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	148
2077 368b091e723b mod_firewall: Rename argument to avoid name clash [luacheck] Kim Alvefur <zash@zash.se> parents: 2076 diff changeset	149 local function include_dep(dependency, code)
368b091e723b mod_firewall: Rename argument to avoid name clash [luacheck] Kim Alvefur <zash@zash.se> parents: 2076 diff changeset	150 local dep, dep_param = dependency:match("^([^:]+):?(.*)$");
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	151 local dep_info = available_deps[dep];
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	152 if not dep_info then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	153 module:log("error", "Dependency not found: %s", dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	154 return;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	155 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	156 if code.included_deps[dep] then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	157 if code.included_deps[dep] ~= true then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	158 module:log("error", "Circular dependency on %s", dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	159 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	160 return;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	161 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	162 code.included_deps[dep] = false; -- Pending flag (used to detect circular references)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	163 for _, dep_dep in ipairs(dep_info.depends or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	164 include_dep(dep_dep, code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	165 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	166 if dep_info.global_code then
965 d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	167 if dep_param ~= "" then
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	168 table.insert(code.global_header, dep_info.global_code(dep_param));
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	169 else
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	170 table.insert(code.global_header, dep_info.global_code);
d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	171 end
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	172 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	173 if dep_info.local_code then
965 d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	174 if dep_param ~= "" then
1303 8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	175 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code(dep_param).."\n");
965 d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	176 else
1303 8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	177 table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code.."\n");
965 d4e24fb289c0 mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone). Matthew Wild <mwild1@gmail.com> parents: 960 diff changeset	178 end
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	179 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	180 code.included_deps[dep] = true;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	181 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	182
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	183 local definition_handlers = module:require("definitions");
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	184 local condition_handlers = module:require("conditions");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	185 local action_handlers = module:require("actions");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	186
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	187 local function new_rule(ruleset, chain)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	188 assert(chain, "no chain specified");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	189 local rule = { conditions = {}, actions = {}, deps = {} };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	190 table.insert(ruleset[chain], rule);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	191 return rule;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	192 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	193
2078 11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	194 local function parse_firewall_rules(filename)
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	195 local line_no = 0;
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	196
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	197 local function errmsg(err)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	198 return "Error compiling "..filename.." on line "..line_no..": "..err;
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	199 end
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	200
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	201 local ruleset = {
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	202 deliver = {};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	203 };
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	204
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	205 local chain = "deliver"; -- Default chain
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	206 local rule;
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	207
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	208 local file, err = io.open(filename);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	209 if not file then return nil, err; end
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	210
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	211 local state; -- nil -> "rules" -> "actions" -> nil -> ...
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	212
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	213 local line_hold;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	214 for line in file:lines() do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	215 line = line:match("^%s(.-)%s$");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	216 if line_hold and line:sub(-1,-1) ~= "\\" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	217 line = line_hold..line;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	218 line_hold = nil;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	219 elseif line:sub(-1,-1) == "\\" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	220 line_hold = (line_hold or "")..line:sub(1,-2);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	221 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	222 line_no = line_no + 1;
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	223
2080 a435db77a5e5 mod_firewall: Silence warning about empty if branch [luacheck] Kim Alvefur <zash@zash.se> parents: 2078 diff changeset	224 if line_hold or line:find("^[#;]") then -- luacheck: ignore 542
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	225 -- No action; comment or partial line
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	226 elseif line == "" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	227 if state == "rules" then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	228 return nil, ("Expected an action on line %d for preceding criteria")
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	229 :format(line_no);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	230 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	231 state = nil;
2070 2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned Kim Alvefur <zash@zash.se> parents: 1343 diff changeset	232 elseif not(state) and line:sub(1, 2) == "::" then
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	233 chain = line:gsub("^::%s*", "");
980 aeb11522a44f mod_firewall: Fix variable name Kim Alvefur <zash@zash.se> parents: 971 diff changeset	234 local chain_info = chains[chain];
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	235 if not chain_info then
2364 17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/' Matthew Wild <mwild1@gmail.com> parents: 2342 diff changeset	236 if chain:match("^user/") then
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/' Matthew Wild <mwild1@gmail.com> parents: 2342 diff changeset	237 chains[chain] = { type = "event", priority = 1, "firewall/chains/"..chain };
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/' Matthew Wild <mwild1@gmail.com> parents: 2342 diff changeset	238 else
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/' Matthew Wild <mwild1@gmail.com> parents: 2342 diff changeset	239 return nil, errmsg("Unknown chain: "..chain);
17d236129118 mod_firewall: Allow implicit defitions of chains in scripts if they begin with 'user/' Matthew Wild <mwild1@gmail.com> parents: 2342 diff changeset	240 end
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	241 elseif chain_info.type ~= "event" then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	242 return nil, errmsg("Only event chains supported at the moment");
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	243 end
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	244 ruleset[chain] = ruleset[chain] or {};
2070 2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned Kim Alvefur <zash@zash.se> parents: 1343 diff changeset	245 elseif not(state) and line:sub(1,1) == "%" then -- Definition (zone, limit, etc.)
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	246 local what, name = line:match("^%%%s*(%w+) +([^ :]+)");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	247 if not definition_handlers[what] then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	248 return nil, errmsg("Definition of unknown object: "..what);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	249 elseif not name or not idsafe(name) then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	250 return nil, errmsg("Invalid "..what.." name");
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	251 end
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	252
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	253 local val = line:match(": ?(.*)$");
2070 2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned Kim Alvefur <zash@zash.se> parents: 1343 diff changeset	254 if not val and line:find(":<") then -- Read from file
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	255 local fn = line:match(":< ?(.-)%s*$");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	256 if not fn then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	257 return nil, errmsg("Unable to parse filename");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	258 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	259 local f, err = io.open(fn);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	260 if not f then return nil, errmsg(err); end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	261 val = f:read("*a"):gsub("\r?\n", " "):gsub("%s+5", "");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	262 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	263 if not val then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	264 return nil, errmsg("No value given for definition");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	265 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	266
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	267 local ok, ret = pcall(definition_handlers[what], name, val);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	268 if not ok then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	269 return nil, errmsg(ret);
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	270 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	271
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	272 if not active_definitions[what] then
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	273 active_definitions[what] = {};
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	274 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	275 active_definitions[what][name] = ret;
2070 2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned Kim Alvefur <zash@zash.se> parents: 1343 diff changeset	276 elseif line:find("^[^%s:]+[%.=]") then
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	277 -- Action
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	278 if state == nil then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	279 -- This is a standalone action with no conditions
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	280 rule = new_rule(ruleset, chain);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	281 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	282 state = "actions";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	283 -- Action handlers?
2101 41a0a9db89ef mod_firewall: Allow actions to have underscores in their names Matthew Wild <mwild1@gmail.com> parents: 2100 diff changeset	284 local action = line:match("^[%w_]+");
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	285 if not action_handlers[action] then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	286 return nil, ("Unknown action on line %d: %s"):format(line_no, action or "<unknown>");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	287 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	288 table.insert(rule.actions, "-- "..line)
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	289 local ok, action_string, action_deps = pcall(action_handlers[action], line:match("=(.+)$"));
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	290 if not ok then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	291 return nil, errmsg(action_string);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	292 end
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	293 table.insert(rule.actions, action_string);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	294 for _, dep in ipairs(action_deps or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	295 table.insert(rule.deps, dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	296 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	297 elseif state == "actions" then -- state is actions but action pattern did not match
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	298 state = nil; -- Awaiting next rule, etc.
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	299 table.insert(ruleset[chain], rule);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	300 rule = nil;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	301 else
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	302 if not state then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	303 state = "rules";
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	304 rule = new_rule(ruleset, chain);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	305 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	306 -- Check standard modifiers for the condition (e.g. NOT)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	307 local negated;
2404 9af2d36567a8 mod_firewall: Allow conditions to end with a question mark Kim Alvefur <zash@zash.se> parents: 2402 diff changeset	308 local condition = line:match("^[^:=%.?]*");
2070 2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned Kim Alvefur <zash@zash.se> parents: 1343 diff changeset	309 if condition:find("%f[%w]NOT%f[^%w]") then
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	310 local s, e = condition:match("%f[%w]()NOT()%f[^%w]");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	311 condition = (condition:sub(1,s-1)..condition:sub(e+1, -1)):match("^%s(.-)%s$");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	312 negated = true;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	313 end
998 6fdcebbd2284 mod_firewall: Fix conditions with spaces Matthew Wild <mwild1@gmail.com> parents: 996 diff changeset	314 condition = condition:gsub(" ", "_");
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	315 if not condition_handlers[condition] then
998 6fdcebbd2284 mod_firewall: Fix conditions with spaces Matthew Wild <mwild1@gmail.com> parents: 996 diff changeset	316 return nil, ("Unknown condition on line %d: %s"):format(line_no, (condition:gsub("_", " ")));
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	317 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	318 -- Get the code for this condition
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	319 local ok, condition_code, condition_deps = pcall(condition_handlers[condition], line:match(":%s?(.+)$"));
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	320 if not ok then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	321 return nil, errmsg(condition_code);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	322 end
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	323 if negated then condition_code = "not("..condition_code..")"; end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	324 table.insert(rule.conditions, condition_code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	325 for _, dep in ipairs(condition_deps or {}) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	326 table.insert(rule.deps, dep);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	327 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	328 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	329 end
2078 11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	330 return ruleset;
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	331 end
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	332
2078 11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	333 local function process_firewall_rules(ruleset)
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	334 -- Compile ruleset and return complete code
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	335
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	336 local chain_handlers = {};
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	337
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	338 -- Loop through the chains in the parsed ruleset (e.g. incoming, outgoing)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	339 for chain_name, rules in pairs(ruleset) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	340 local code = { included_deps = {}, global_header = {} };
1304 9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	341 local condition_uses = {};
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	342 -- This inner loop assumes chain is an event-based, not a filter-based
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	343 -- chain (filter-based will be added later)
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	344 for _, rule in ipairs(rules) do
1304 9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	345 for _, condition in ipairs(rule.conditions) do
2070 2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned Kim Alvefur <zash@zash.se> parents: 1343 diff changeset	346 if condition:find("^not%(.+%)$") then
1304 9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	347 condition = condition:match("^not%((.+)%)$");
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	348 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	349 condition_uses[condition] = (condition_uses[condition] or 0) + 1;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	350 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	351 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	352
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	353 local condition_cache, n_conditions = {}, 0;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	354 for _, rule in ipairs(rules) do
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	355 for _, dep in ipairs(rule.deps) do
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	356 include_dep(dep, code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	357 end
1303 8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	358 table.insert(code, "\n\t\t");
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	359 local rule_code;
967 a88f33fe6970 mod_firewall: Don't add empty conditions check when no conditions are listed in a rule Matthew Wild <mwild1@gmail.com> parents: 966 diff changeset	360 if #rule.conditions > 0 then
996 37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution Matthew Wild <mwild1@gmail.com> parents: 980 diff changeset	361 for i, condition in ipairs(rule.conditions) do
1001 c0850793b716 mod_firewall: don't use %b() (not technically correct) Matthew Wild <mwild1@gmail.com> parents: 999 diff changeset	362 local negated = condition:match("^not%(.+%)$");
996 37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution Matthew Wild <mwild1@gmail.com> parents: 980 diff changeset	363 if negated then
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution Matthew Wild <mwild1@gmail.com> parents: 980 diff changeset	364 condition = condition:match("^not%((.+)%)$");
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution Matthew Wild <mwild1@gmail.com> parents: 980 diff changeset	365 end
1304 9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	366 if condition_uses[condition] > 1 then
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	367 local name = condition_cache[condition];
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	368 if not name then
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	369 n_conditions = n_conditions + 1;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	370 name = "condition"..n_conditions;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	371 condition_cache[condition] = name;
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	372 table.insert(code, "local "..name.." = "..condition..";\n\t\t");
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	373 end
9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	374 rule.conditions[i] = (negated and "not(" or "")..name..(negated and ")" or "");
996 37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution Matthew Wild <mwild1@gmail.com> parents: 980 diff changeset	375 else
1304 9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	376 rule.conditions[i] = (negated and "not(" or "(")..condition..")";
996 37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution Matthew Wild <mwild1@gmail.com> parents: 980 diff changeset	377 end
37af655ca575 mod_firewall: Cache conditions, so that they are only calculated once per chain execution Matthew Wild <mwild1@gmail.com> parents: 980 diff changeset	378 end
1304 9f24ccaa66a6 mod_firewall: Do not cache conditions with only a single use Florian Zeitz <florob@babelmonkeys.de> parents: 1303 diff changeset	379
1303 8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	380 rule_code = "if "..table.concat(rule.conditions, " and ").." then\n\t\t\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	381 ..table.concat(rule.actions, "\n\t\t\t")
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	382 .."\n\t\tend\n";
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	383 else
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	384 rule_code = table.concat(rule.actions, "\n\t\t");
967 a88f33fe6970 mod_firewall: Don't add empty conditions check when no conditions are listed in a rule Matthew Wild <mwild1@gmail.com> parents: 966 diff changeset	385 end
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	386 table.insert(code, rule_code);
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	387 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	388
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	389 for name in pairs(definition_handlers) do
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	390 table.insert(code.global_header, 1, "local "..name:lower().."s = definitions."..name..";");
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	391 end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	392
1303 8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	393 local code_string = "return function (definitions, fire_event, log)\n\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	394 ..table.concat(code.global_header, "\n\t")
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	395 .."\n\tlocal db = require 'util.debug';\n\n\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	396 .."return function (event)\n\t\t"
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	397 .."local stanza, session = event.stanza, event.origin;\n"
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	398 ..table.concat(code, "")
8a3f3f485675 mod_firewall: Produce code with nicer indentation Florian Zeitz <florob@babelmonkeys.de> parents: 1052 diff changeset	399 .."\n\tend;\nend";
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	400
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	401 chain_handlers[chain_name] = code_string;
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	402 end
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	403
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	404 return chain_handlers;
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	405 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	406
2078 11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	407 local function compile_firewall_rules(filename)
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	408 local ruleset, err = parse_firewall_rules(filename);
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	409 if not ruleset then return nil, err; end
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	410 local chain_handlers = process_firewall_rules(ruleset);
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	411 return chain_handlers;
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	412 end
11539785cb92 mod_firewall: Split compile function into two parts in order to separate their scopes Kim Alvefur <zash@zash.se> parents: 2077 diff changeset	413
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	414 local function compile_handler(code_string, filename)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	415 -- Prepare event handler function
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	416 local chunk, err = loadstring(code_string, "="..filename);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	417 if not chunk then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	418 return nil, "Error compiling (probably a compiler bug, please report): "..err;
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	419 end
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	420 local function fire_event(name, data)
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	421 return module:fire_event(name, data);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	422 end
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	423 chunk = chunk()(active_definitions, fire_event, logger(filename)); -- Returns event handler with 'zones' upvalue.
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	424 return chunk;
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	425 end
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	426
2366 14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	427 local function resolve_script_path(script_path)
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	428 local relative_to = prosody.paths.config;
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	429 if script_path:match("^module:") then
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	430 relative_to = module.path:sub(1, -#("/mod_"..module.name..".lua"));
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	431 script_path = script_path:match("^module:(.+)$");
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	432 end
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	433 return resolve_relative_path(relative_to, script_path);
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	434 end
14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	435
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	436 function module.load()
1052 80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	437 if not prosody.arg then return end -- Don't run in prosodyctl
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	438 active_definitions = {};
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	439 local firewall_scripts = module:get_option_set("firewall_scripts", {});
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	440 for script in firewall_scripts do
2366 14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	441 script = resolve_script_path(script);
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	442 local chain_functions, err = compile_firewall_rules(script)
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1325 diff changeset	443
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	444 if not chain_functions then
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	445 module:log("error", "Error compiling %s: %s", script, err or "unknown error");
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	446 else
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	447 for chain, handler_code in pairs(chain_functions) do
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	448 local handler, err = compile_handler(handler_code, "mod_firewall::"..chain);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	449 if not handler then
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	450 module:log("error", "Compilation error for %s: %s", script, err);
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	451 else
33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	452 local chain_definition = chains[chain];
1325 b21236b6b8d8 Backed out changeset 853a382c9bd6 Kim Alvefur <zash@zash.se> parents: 1324 diff changeset	453 if chain_definition and chain_definition.type == "event" then
b21236b6b8d8 Backed out changeset 853a382c9bd6 Kim Alvefur <zash@zash.se> parents: 1324 diff changeset	454 for _, event_name in ipairs(chain_definition) do
b21236b6b8d8 Backed out changeset 853a382c9bd6 Kim Alvefur <zash@zash.se> parents: 1324 diff changeset	455 module:hook(event_name, handler, chain_definition.priority);
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	456 end
2070 2356114ff505 mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned Kim Alvefur <zash@zash.se> parents: 1343 diff changeset	457 elseif not chain:sub(1, 5) == "user/" then
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	458 module:log("warn", "Unknown chain %q", chain);
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	459 end
956 33d6642f4db7 mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions Matthew Wild <mwild1@gmail.com> parents: 955 diff changeset	460 module:hook("firewall/chains/"..chain, handler);
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	461 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	462 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	463 end
c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	464 end
999 197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	465 -- Replace contents of definitions table (shared) with active definitions
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	466 for k in it.keys(definitions) do definitions[k] = nil; end
197af8440ffb mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with % Matthew Wild <mwild1@gmail.com> parents: 998 diff changeset	467 for k,v in pairs(active_definitions) do definitions[k] = v; end
947 c91cac3b823f mod_firewall: General stanza filtering plugin with a declarative rule-based syntax Matthew Wild <mwild1@gmail.com> parents: diff changeset	468 end
1052 80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	469
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	470 function module.command(arg)
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	471 if not arg[1] or arg[1] == "--help" then
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	472 require"util.prosodyctl".show_usage([[mod_firewall <firewall.pfw>]], [[Compile files with firewall rules to Lua code]]);
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	473 return 1;
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	474 end
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	475 local verbose = arg[1] == "-v";
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	476 if verbose then table.remove(arg, 1); end
1052 80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	477
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	478 local serialize = require "util.serialization".serialize;
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	479 if verbose then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	480 print("local logger = require \"util.logger\".init;");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	481 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	482 print("local function fire_event(name, data)\n\tmodule:fire_event(name, data)\nend");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	483 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	484 end
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	485
1052 80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	486 for _, filename in ipairs(arg) do
2366 14021c93a962 mod_firewall: Allow prefixing script paths with 'module:' to specify path relative to module file Matthew Wild <mwild1@gmail.com> parents: 2365 diff changeset	487 filename = resolve_script_path(filename);
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	488 print("do -- File "..filename);
2365 05dae9adf778 mod_firewall: Fix for when compiling on the command line and specifying multiple files Matthew Wild <mwild1@gmail.com> parents: 2364 diff changeset	489 local chain_functions = assert(compile_firewall_rules(filename));
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	490 if verbose then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	491 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	492 print("local active_definitions = "..serialize(active_definitions)..";");
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	493 print();
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	494 end
2367 3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids Matthew Wild <mwild1@gmail.com> parents: 2366 diff changeset	495 local c = 0;
1052 80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	496 for chain, handler_code in pairs(chain_functions) do
2367 3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids Matthew Wild <mwild1@gmail.com> parents: 2366 diff changeset	497 c = c + 1;
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	498 print("---- Chain "..chain:gsub("_", " "));
2367 3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids Matthew Wild <mwild1@gmail.com> parents: 2366 diff changeset	499 local chain_func_name = "chain_"..tostring(c).."_"..chain:gsub("%p", "_");
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	500 if not verbose then
2367 3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids Matthew Wild <mwild1@gmail.com> parents: 2366 diff changeset	501 print(("%s = %s;"):format(chain_func_name, handler_code:sub(8)));
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	502 else
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	503
2367 3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids Matthew Wild <mwild1@gmail.com> parents: 2366 diff changeset	504 print(("local %s = (%s)(active_definitions, fire_event, logger(%q));"):format(chain_func_name, handler_code:sub(8), filename));
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	505 print();
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	506
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	507 local chain_definition = chains[chain];
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	508 if chain_definition and chain_definition.type == "event" then
643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	509 for _, event_name in ipairs(chain_definition) do
2367 3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids Matthew Wild <mwild1@gmail.com> parents: 2366 diff changeset	510 print(("module:hook(%q, %s, %d);"):format(event_name, chain_func_name, chain_definition.priority or 0));
2118 643b254e75de mod_firewall: Disable more realistic output by default, activated by adding a -v flag Kim Alvefur <zash@zash.se> parents: 2117 diff changeset	511 end
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	512 end
2367 3ebd3cb4d7d2 mod_firewall: When compiling on the command-line with -v, ensure chain function names are unique and valid ids Matthew Wild <mwild1@gmail.com> parents: 2366 diff changeset	513 print(("module:hook(%q, %s, %d);"):format("firewall/chains/"..chain, chain_func_name, chain_definition.priority or 0));
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	514 end
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	515
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	516 print("---- End of chain "..chain);
5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	517 print();
1052 80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	518 end
2117 5aa3b93cd37a mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work) Kim Alvefur <zash@zash.se> parents: 2113 diff changeset	519 print("end -- End of file "..filename);
1052 80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	520 end
80f0a3231c59 mod_firewall: Add support for being called as a prosodyctl command Kim Alvefur <zash@zash.se> parents: 1051 diff changeset	521 end

Mercurial > prosody-modules

annotate mod_firewall/mod_firewall.lua @ 2494:d300ae5dba87