annotate mod_firewall/README.markdown @ 2374:d630fa0d4dba

mod_firewall: Add default zone called '$local' containing all local hosts (dynamically)
author Matthew Wild <mwild1@gmail.com>
date Fri, 18 Nov 2016 17:22:28 +0000
parents 5fe483b73fd2
children 7ad312b4cefe
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
1 ---
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
2 labels:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
3 - 'Stage-Alpha'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
4 summary: 'A rule-based stanza filtering module'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
5 ...
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
6
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
7 ------------------------------------------------------------------------
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
9 **Note:** mod\_firewall is in its very early stages. This documentation
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
10 is liable to change, and some described functionality may be missing,
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
11 incomplete or contain bugs. Feedback is welcome in the comments section
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
12 at the bottom of this page.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
14 ------------------------------------------------------------------------
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
16 Introduction
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
17 ============
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
19 A firewall is an invaluable tool in the sysadmin's toolbox. However
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
20 while low-level firewalls such as iptables and pf are incredibly good at
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
21 what they do, they are generally not able to handle application-layer
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
22 rules.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
24 The goal of mod\_firewall is to provide similar services at the XMPP
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
25 layer. Based on rule scripts it can efficiently block, bounce, drop,
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
26 forward, copy, redirect stanzas and more! Furthermore all rules can be
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
27 applied and updated dynamically at runtime without restarting the
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
28 server.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
30 Details
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
31 =======
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
33 mod\_firewall loads one or more scripts, and compiles these to Lua code
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
34 that reacts to stanzas flowing through Prosody. The firewall script
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
35 syntax is unusual, but straightforward.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
37 A firewall script is dominated by rules. Each rule has two parts:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
38 conditions, and actions. When a stanza matches all of the conditions,
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
39 all of the actions are executed in order.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 Here is a simple example to block stanzas from spammer@example.com:
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
43 FROM: spammer@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
44 DROP.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
46 FROM is a condition, and DROP is an action. This is about as simple as
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
47 it gets. How about heading to the other extreme? Let's demonstrate
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
48 something more complex that mod\_firewall can do for you:
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
50 %ZONE myorganisation: staff.myorg.example, support.myorg.example
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
52 ENTERING: myorganisation
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
53 KIND: message
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
54 TIME: 12am-9am, 5pm-12am, Saturday, Sunday
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
55 REPLY=Sorry, I am afraid our office is closed at the moment. If you need assistance, please call our 24-hour support line on 123-456-789.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
57 This rule will reply with a short message whenever someone tries to send
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
58 a message to someone at any of the hosts defined in the 'myorganisation'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
59 outside of office hours.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
61 Firewall rules should be written to a `ruleset.pfw` file. Multiple such
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
62 rule files can be specified in the configuration using:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
63
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
64 firewall_scripts = { "path/to/ruleset.pfw" }
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
66 Conditions
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
67 ----------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
68
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
69 All conditions must come before any action in a rule block. The
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
70 condition name is followed by a colon (':'), and the value to test for.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
72 A condition can be preceded or followed by `NOT` to negate its match.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
73 For example:
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
75 NOT FROM: user@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
76 KIND NOT: message
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
78 ### Zones
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
80 A 'zone' is one or more hosts or JIDs. It is possible to match when a
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
81 stanza is entering or leaving a zone, while at the same time not
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
82 matching traffic passing between JIDs in the same zone.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
84 Zones are defined at the top of a script with the following syntax (they
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
85 are not part of a rule block):
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
87 %ZONE myzone: host1, host2, user@host3, foo.bar.example
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
88
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
89 A host listed in a zone also matches all users on that host (but not
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
90 subdomains).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
91
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
92 The following zone-matching conditions are supported:
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
93
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
94 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
95 ------------ ------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
96 `ENTERING` When a stanza is entering the named zone
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
97 `LEAVING` When a stanza is leaving the named zone
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
98
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
99 ### Stanza matching
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
100
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
101 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
102 ----------- ------------------------------------------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
103 `KIND` The kind of stanza. May be 'message', 'presence' or 'iq'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
104 `TYPE` The type of stanza. This varies depending on the kind of stanza. See 'Stanza types' below for more information.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
105 `PAYLOAD` The stanza contains a child with the given namespace. Useful for determining the type of an iq request, or whether a message contains a certain extension.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
106 `INSPECT` The node at the specified path exists or matches a given string. This allows you to look anywhere inside a stanza. See below for examples and more.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
107
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
108 #### Stanza types
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
109
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
110 Stanza Valid types
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
111 ---------- ------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
112 iq get, set, result, error
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
113 presence *available*, unavailable, probe, subscribe, subscribed, unsubscribe, unsubscribed, error
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
114 message normal, chat, groupchat, headline, error
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
115
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
116 **Note:** The type 'available' for presence does not actually appear in
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
117 the protocol. Available presence is signalled by the omission of a type.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
118 Similarly, a message stanza with no type is equivalent to one of type
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
119 'normal'. mod\_firewall handles these cases for you automatically.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
120
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
121 #### INSPECT
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
122
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
123 INSPECT takes a 'path' through the stanza to get a string (an attribute
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
124 value or text content). An example is the best way to explain. Let's
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
125 check that a user is not trying to register an account with the username
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
126 'admin'. This stanza comes from [XEP-0077: In-band
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
127 Registration](http://xmpp.org/extensions/xep-0077.html#example-4):
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
128
2002
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
129 ``` xml
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
130 <iq type='set' id='reg2'>
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
131 <query xmlns='jabber:iq:register'>
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
132 <username>bill</username>
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
133 <password>Calliope</password>
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
134 <email>bard@shakespeare.lit</email>
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
135 </query>
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
136 </iq>
ce991c678370 mod_firewall/README: Markup XML example as XML :)
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
137 ```
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
138
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
139 KIND: iq
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
140 TYPE: set
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
141 PAYLOAD: jabber:iq:register
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
142 INSPECT: {jabber:iq:register}query/username#=admin
2360
97e63e8f0f32 mod_firewall: README: Fix example usage of BOUNCE
Matthew Wild <mwild1@gmail.com>
parents: 2342
diff changeset
143 BOUNCE=not-allowed (The username 'admin' is reserved.)
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
144
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
145 That weird string deserves some explanation. It is a path, divided into
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
146 segments by '/'. Each segment describes an element by its name,
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
147 optionally prefixed by its namespace in curly braces ('{...}'). If the
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
148 path ends with a '\#' then the text content of the last element will be
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
149 returned. If the path ends with '@name' then the value of the attribute
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
150 'name' will be returned.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
151
2110
c26b28c65d47 mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents: 2108
diff changeset
152 You can use INSPECT to test for the existence of an element or attribute,
c26b28c65d47 mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents: 2108
diff changeset
153 or you can see if it is equal to a string by appending `=STRING` (as in the
c26b28c65d47 mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents: 2108
diff changeset
154 example above). Finally,you can also test whether it matches a given Lua
c26b28c65d47 mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents: 2108
diff changeset
155 pattern by using `~=PATTERN`.
c26b28c65d47 mod_firewall: README: Document INSPECT's pattern matching ability
Matthew Wild <mwild1@gmail.com>
parents: 2108
diff changeset
156
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
157 INSPECT is somewhat slower than the other stanza matching conditions. To
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
158 minimise performance impact, always place it below other faster
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
159 condition checks where possible (e.g. above we first checked KIND, TYPE
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
160 and PAYLOAD matched before INSPECT).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
161
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
162 ### Sender/recipient matching
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
163
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
164 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
165 ----------- -------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
166 `FROM` The JID in the 'from' attribute matches the given JID
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
167 `TO` The JID in the 'to' attribute matches the given JID
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
168
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
169 These conditions both accept wildcards in the JID when the wildcard
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
170 expression is enclosed in angle brackets ('\<...\>'). For example:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
171
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
172 # All users at example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
173 FROM: <*>@example.com
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
174
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
175 # The user 'admin' on any subdomain of example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
176 FROM: admin@<*.example.com>
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
177
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
178 You can also use [Lua's pattern
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
179 matching](http://www.lua.org/manual/5.1/manual.html#5.4.1) for more
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
180 powerful matching abilities. Patterns are a lightweight
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
181 regular-expression alternative. Simply contain the pattern in double
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
182 angle brackets. The pattern is automatically anchored at the start and
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
183 end (so it must match the entire portion of the JID).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
184
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
185 # Match admin@example.com, and admin1@example.com, etc.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
186 FROM: <<admin%d*>>@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
187
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
188 **Note:** It is important to know that 'example.com' is a valid JID on
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
189 its own, and does **not** match 'user@example.com'. To perform domain
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
190 whitelists or blacklists, use Zones.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
191
2047
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
192 Condition Matches
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
193 ---------------- ---------------------------------------------------------------
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
194 `FROM_EXACTLY` The JID in the 'from' attribute exactly matches the given JID
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
195 `TO_EXACTLY` The JID in the 'to' attribute exactly matches the given JID
2036
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
196
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
197 These additional conditions do not support pattern matching, but are
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
198 useful to match the exact to/from address on a stanza. For example, if
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
199 no resource is specified then only bare JIDs will be matched. TO and FROM
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
200 match all resources if no resource is specified to match.
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
201
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
202 **Note:** Some chains execute before Prosody has performed any
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
203 normalisation or validity checks on the to/from JIDs on an incoming
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
204 stanza. It is not advisable to perform access control or similar rules
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
205 on JIDs in these chains (see the chain documentation for more info).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
206
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
207 ### Roster
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
208
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
209 These functions access the roster of the recipient (only). Therefore they cannot (currently)
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
210 be used in some chains, such as for outgoing messages (the recipient may be on another server).
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
211
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
212 Performance note: this check can potentially cause storage access (especially if the recipient
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
213 is currently offline), so you may want to limit its use in high-traffic situations, and place
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
214 it below other checks (such as a rate limiter).
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
215
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
216 #### IN_ROSTER
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
217
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
218 Tests whether the sender is in the recipient's roster.
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
219
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
220 IN_ROSTER: yes
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
221
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
222 #### IN_ROSTER_GROUP
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
223
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
224 Tests whether the sender is in the recipient's roster, and in the named group.
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
225
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
226 IN_ROSTER_GROUP: Friends
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
227
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
228 ### Time and date
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
229
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
230 #### TIME
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
231
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
232 Matches stanzas sent during certain time periods.
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
233
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
234 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
235 ----------- -------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
236 TIME When the current server local time is within one of the comma-separated time ranges given
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
237
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
238 TIME: 10pm-6am, 14:00-15:00
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
239 REPLY=Zzzz.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
240
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
241 #### DAY
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
242
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
243 It is also possible to match only on certain days of the week.
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
244
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
245 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
246 ----------- -----------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
247 DAY When the current day matches one, or falls within a rage, in the given comma-separated list of days
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
248
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
249 Example:
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
250
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
251 DAY: Sat-Sun, Wednesday
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
252 REPLY=Sorry, I'm out enjoying life!
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
253
2102
2c225b4b93d2 mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents: 2096
diff changeset
254 All times and dates are handled in the server's local time.
2c225b4b93d2 mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents: 2096
diff changeset
255
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
256 ### Rate-limiting
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
257
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
258 It is possible to selectively rate-limit stanzas, and use rules to
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
259 decide what to do with stanzas when over the limit.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
260
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
261 First, you must define any rate limits that you are going to use in your
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
262 script. Here we create a limiter called 'normal' that will allow 2
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
263 stanzas per second, and then we define a rule to bounce messages when
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
264 over this limit. Note that the `RATE` definition is not part of a rule
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
265 (multiple rules can share the same limiter).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
266
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
267 %RATE normal: 2 (burst 3)
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
268
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
269 KIND: message
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
270 LIMIT: normal
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
271 BOUNCE=policy-violation (Sending too fast!)
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
272
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
273 The 'burst' parameter on the rate limit allows you to spread the limit
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
274 check over a given time period. For example the definition shown above
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
275 will allow the limit to be temporarily surpassed, as long as it is
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
276 within the limit after 3 seconds. You will almost always want to specify
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
277 a burst factor.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
278
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
279 Both the rate and the burst can be fractional values. For example a rate
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
280 of 0.1 means only one event is allowed every 10 seconds.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
281
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
282 The LIMIT condition actually does two things; first it counts against
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
283 the given limiter, and then it checks to see if the limiter over its
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
284 limit yet. If it is, the condition matches, otherwise it will not.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
285
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
286 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
287 ----------- --------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
288 `LIMIT` When the named limit is 'used up'. Using this condition automatically counts against that limit.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
289
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
290 **Note:** Reloading mod\_firewall resets the current state of any
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
291 limiters.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
292
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
293 #### Dynamic limits
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
294
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
295 Sometimes you may want to have multiple throttles in a single condition, using some property of the session or stanza
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
296 to determine which throttle to use. For example, you might have a limit for incoming stanzas, but you want to limit by
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
297 sending JID, instead of all incoming stanzas sharing the same limit.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
298
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
299 You can use the 'on' keyword for this, like so:
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
300
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
301 LIMIT: normal on EXPRESSION
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
302
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
303 For more information on expressions, see the section later in this document.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
304
2370
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
305 Each value of 'EXPRESSION' has to be tracked individually in a table, which uses a small amount of memory. To prevent
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
306 memory exhaustion, the number of tracked values is limited to 1000 by default. You can override this by setting the
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
307 maximum number of table entries when you define the rate:
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
308
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
309 %RATE normal: 2 (burst 3) (entries 4096)
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
310
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
311 Old values are automatically removed from the tracking table. However if the tracking table becomes full, new entries
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
312 will be rejected - it will behave as if the rate limit was reached, even for values that have not been seen before. Since
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
313 this opens up a potential denial of service (innocent users may be affected if malicious users can fill up the tracking
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
314 table within the limit period). You can choose to instead "fail open", and allow the rate limit to be temporarily bypassed
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
315 when the table is full. To choose this behaviour, add `(allow overflow)` to the RATE definition.
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
316
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
317 ### Session marking
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
318
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
319 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
320 `ORIGIN_MARKED` condition.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
321
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
322 Condition Description
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
323 ------------------------------- ---------------------------------------------------------------
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
324 ORIGIN_MARKED: markname Matches if the origin has been marked with 'markname'.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
325 ORIGIN_MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
326
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
327 Example usage:
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
328
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
329 # This rule drops messages from sessions that have been marked as spammers in the past hour
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
330 ORIGIN_MARKED: spammer (3600s)
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
331 DROP.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
332
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
333 # This rule marks the origin session as a spammer if they send a message to a honeypot JID
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
334 KIND: message
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
335 TO: honeypot@example.com
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
336 MARK_ORIGIN=spammer
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
337
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
338 Actions
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
339 -------
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
340
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
341 Actions come after all conditions in a rule block. There must be at
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
342 least one action, though conditions are optional.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
343
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
344 An action without parameters ends with a full-stop/period ('.'), and one
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
345 with parameters uses an equals sign ('='):
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
346
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
347 # An action with no parameters:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
348 DROP.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
349
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
350 # An action with a parameter:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
351 REPLY=Hello, this is a reply.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
352
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
353 ### Route modification
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
354
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
355 The most common actions modify the stanza's route in some way. Currently
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
356 the first matching rule to do so will halt further processing of actions
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
357 and rules (this may change in the future).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
358
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
359 Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
360 ----------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
361 `PASS.` Stop executing actions and rules on this stanza, and let it through this chain.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
362 `DROP.` Stop executing actions and rules on this stanza, and discard it.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
363 `REDIRECT=jid` Redirect the stanza to the given JID.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
364 `REPLY=text` Reply to the stanza (assumed to be a message) with the given text.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
365 `BOUNCE.` Bounce the stanza with the default error (usually service-unavailable)
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
366 `BOUNCE=error` Bounce the stanza with the given error (MUST be a defined XMPP stanza error, see [RFC6120](http://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions).
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
367 `BOUNCE=error (text)` As above, but include the supplied human-readable text with a description of the error
2092
f5d78bc016a6 mod_firewall: README: Add warning about COPY action's ability to cause loops (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents: 2047
diff changeset
368 `COPY=jid` Make a copy of the stanza and send the copy to the specified JID. The copied stanza flows through Prosody's routing code, and as such is affected by firewall rules. Be careful to avoid loops.
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
369
2095
3b4a6d255d7a mod_firewall: README: Add note about BOUNCE and error stanzas/iq results
Matthew Wild <mwild1@gmail.com>
parents: 2093
diff changeset
370 **Note:** It is incorrect behaviour to reply to an 'error' stanza with another error, so BOUNCE will simply act the same as 'DROP' for stanzas that should not be bounced (error stanzas and iq results).
3b4a6d255d7a mod_firewall: README: Add note about BOUNCE and error stanzas/iq results
Matthew Wild <mwild1@gmail.com>
parents: 2093
diff changeset
371
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
372 ### Stanza modification
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
373
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
374 These actions make it possible to modify the content and structure of a
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
375 stanza.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
376
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
377 Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
378 ------------------------ ------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
379 `STRIP=name` Remove any child elements with the given name in the default namespace
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
380 `STRIP=name namespace` Remove any child elements with the given name and the given namespace
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
381 `INJECT=xml` Inject the given XML into the stanza as a child element
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
382
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
383 ### Sessions
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
384
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
385 It is possible to mark sessions, and then use these marks to match rules later on.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
386
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
387 Action Description
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
388 ------------------------ --------------------------------------------------------------------------
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
389 `MARK_ORIGIN=mark` Marks the originating session with the given flag.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
390 `UNMARK_ORIGIN=mark` Removes the given mark from the origin session (if it is set).
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
391
2114
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
392 **Note:** Marks apply to sessions, not JIDs. E.g. if marking in a rule that matches a stanza received
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
393 over s2s, it is the s2s session that is marked.
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
394
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
395 It is possible to have multiple marks on an origin at any given time.
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
396
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
397 ### Informational
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
398
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
399 Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
400 --------------- ------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
401 `LOG=message` Logs the given message to Prosody's log file. Optionally prefix it with a log level in square brackets, e.g. `[debug]`
2093
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
402
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
403 You can include expressions in log messages, using `$(...)` syntax. For example, to log the stanza that matched the rule, you can use $(stanza),
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
404 or to log just the top tag of the stanza, use $(stanza:top_tag()).
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
405
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
406 Example:
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
407
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
408 # Log all stanzas to user@example.com:
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
409 TO: user@example.com
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
410 LOG=[debug] User received: $(stanza)
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
411
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
412 More info about expressions can be found below.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
413
2096
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
414 Chains
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
415 ------
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
416
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
417 Rules are grouped into "chains", which are injected at particular points in Prosody's routing code.
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
418
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
419 Available chains are:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
420
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
421 Chain Description
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
422 -------------- -------------------------------------------------------------------------------------------
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
423 deliver Applies to stanzas delivered to local recipients (regardless of the stanza's origin)
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
424 deliver_remote Applies to stanzas delivered to remote recipients (just before they leave the local server)
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
425 preroute Applies to incoming stanzas from local users, before any routing rules are applied
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
426
2111
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
427 A chain is begun by a line `::name` where 'name' is the name of the chain you want the following rules to be
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
428 inserted into. If no chain is specified, rules are put into the 'deliver' chain.
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
429
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
430 It is possible to create custom chains (useful with the JUMP_CHAIN action described below). User-created
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
431 chains must begin with "user/", e.g. "user/spam_filtering".
2096
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
432
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
433 Example of chain use:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
434
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
435 # example.com's firewall script
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
436
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
437 # This line is optional, because 'deliver' is the default chain anyway:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
438 ::deliver
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
439
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
440 # This rule matches any stanzas delivered to our local user bob:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
441 TO: bob@example.com
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
442 DROP.
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
443
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
444 # Oops! This rule will never match, because alice is not a local user,
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
445 # and only stanzas to local users go through the 'deliver' chain:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
446 TO: alice@remote.example.com
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
447 DROP.
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
448
2104
384fb28452b9 mod_firewall: README: Improve chain usage example comments
Matthew Wild <mwild1@gmail.com>
parents: 2103
diff changeset
449 # Create a 'preroute' chain of rules (matched for incoming stanzas from local clients):
2096
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
450 ::preroute
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
451 # These rules are matched for outgoing stanzas from local clients
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
452
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
453 # This will match any stanzas sent to alice from a local user:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
454 TO: alice@remote.example.com
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
455 DROP.
2105
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents: 2104
diff changeset
456
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents: 2104
diff changeset
457 Action Description
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents: 2104
diff changeset
458 ------------------------ ------------------------------------------------------------------------
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents: 2104
diff changeset
459 `JUMP_CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing.
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
460
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
461 Expressions
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
462 -----------
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
463
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
464 Some conditions and actions in rules support "expressions" in their parameters (their documentation will indicate if this is the case). Most parameters
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
465 are static once the firewall script is loaded and compiled internally, however parameters that allow expressions can be dynamically calculated when a
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
466 rule is being run.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
467
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
468 There are two kinds of expression that you can use: stanza expressions, and code expressions.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
469
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
470 Stanza expressions are of the form `$<...>`, where `...` is a stanza path. For syntax of stanza paths, see the documentation for the 'INSPECT' condition
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
471 above.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
472
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
473 Example:
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
474
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
475 LOG=Matched a stanza from $<@from> to $<@to>
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
476
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
477 If the path does not match (e.g. the element isn't found, or the attribute doesn't exist) it will return the text `<undefined>`. You can override this
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
478 by specifying an alternative default value, using the syntax `$<path||default>`.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
479
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
480 Code expressions use `$(...)` syntax. Code expressions are powerful, and allow unconstrained access to Prosody's internal environment. Therefore
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
481 code expressions are typically for advanced use-cases only. You may want to refer to Prosody's [developer documentation](https://prosody.im/doc/developers)
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
482 for more information. In particular, within code expressions you may access the 'session' object, which is the session object of the origin of the stanza,
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
483 and the 'stanza' object, which is the stanza being considered within the current rule. Whatever value the expression returns will be converted to a string.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
484
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
485 Example to limit stanzas per session type:
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
486
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
487 LIMIT: normal on $(session.type)