annotate mod_throttle_unsolicited/mod_throttle_unsolicited.lua @ 5594:e9af6abf2b1e

mod_client_management: Add shell command to revoke client access Could be used if an operator detects a compromised client.
author Kim Alvefur <zash@zash.se>
date Fri, 14 Jul 2023 13:25:30 +0200
parents 4d8a68557941
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local st = require"util.stanza";
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local jid_split = require "util.jid".split;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local jid_bare = require "util.jid".bare;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local is_contact_subscribed = require "core.rostermanager".is_contact_subscribed;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local throttle = require "util.throttle";
2120
f6dcfe263b85 mod_throttle_unsolicited: Mark sessions so they can be matched with 'ORIGIN_MARKED: throttle_unsolicited' by mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2082
diff changeset
6 local gettime = require "socket".gettime;
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local max = module:get_option_number("unsolicited_messages_per_minute", 10);
2324
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
9 local s2s_max = module:get_option_number("unsolicited_s2s_messages_per_minute");
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local multiplier = module:get_option_number("throttle_unsolicited_burst", 1);
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 function check_subscribed(event)
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local stanza, origin = event.stanza, event.origin;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local log = origin.log or module._log;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 if stanza.attr.type == "error" then return end
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16
2142
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
17 local to_orig = stanza.attr.to;
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
18 if to_orig == nil or to_orig == origin.full_jid then return end -- to self
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
19
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
20 local to_bare = jid_bare(to_orig);
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
21 local from_jid = jid_bare(stanza.attr.from);
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
22 if to_bare == from_jid then return end -- to own resource
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
23
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 -- Check if it's a message to a joined room
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 local rooms = origin.rooms_joined;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 if rooms and rooms[to_bare] then
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 return
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 end
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 -- Retrieve or create throttle object
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local lim = origin.throttle_unsolicited;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 if not lim then
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 lim = throttle.create(max * multiplier, 60 * multiplier);
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 origin.throttle_unsolicited = lim;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 end
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36
2142
d6fbb57a216c mod_throttle_unsolicited: Skip checking messages to self
Kim Alvefur <zash@zash.se>
parents: 2120
diff changeset
37 local to_user, to_host = jid_split(to_orig);
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 if to_user and not is_contact_subscribed(to_user, to_host, from_jid) then
3541
4d8a68557941 mod_throttle_unsolicited: reduce debug logs, rename firewall mark
Georg Lukas <georg@op-co.de>
parents: 2361
diff changeset
39 log("debug", "[unsolicited] %s is not subscribed to %s@%s", from_jid, to_user, to_host);
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 if not lim:poll(1) then
3541
4d8a68557941 mod_throttle_unsolicited: reduce debug logs, rename firewall mark
Georg Lukas <georg@op-co.de>
parents: 2361
diff changeset
41 log("warn", "[unsolicited] Sent too many messages to non-contacts, bouncing message");
4d8a68557941 mod_throttle_unsolicited: reduce debug logs, rename firewall mark
Georg Lukas <georg@op-co.de>
parents: 2361
diff changeset
42 origin.firewall_mark_unsolicited = gettime();
2361
231d47e61c81 mod_throttle_unsolicited: Use existing local reference to origin
Kim Alvefur <zash@zash.se>
parents: 2324
diff changeset
43 origin.send(st.error_reply(stanza, "cancel", "service-unavailable"));
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 return true;
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 end
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 end
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 end
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 module:hook("pre-message/bare", check_subscribed, 200);
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 module:hook("pre-message/full", check_subscribed, 200);
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51
2324
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
52 local full_sessions = prosody.full_sessions;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
53
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
54 -- Rooms and throttle creation will differ for s2s
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
55 function check_subscribed_s2s(event)
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
56 local stanza, origin = event.stanza, event.origin;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
57 local log = origin.log or module._log;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
58
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
59 if origin.type ~= "s2sin" then return end
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
60
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
61 local to_orig = stanza.attr.to;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
62 local from_orig = stanza.attr.from;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
63 local from_bare = jid_bare(from_orig);
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
64
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
65 local target = full_sessions[to_orig];
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
66 if target then
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
67 local rooms = target.rooms_joined;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
68 if rooms and rooms[from_bare] then
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
69 log("debug", "Message to joined room, no limit");
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
70 return
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
71 end
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
72 end
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
73
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
74 -- Retrieve or create throttle object
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
75 local lim = origin.throttle_unsolicited;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
76 if not lim then
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
77 log("debug", "New s2s throttle");
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
78 lim = throttle.create(s2s_max * multiplier, 60 * multiplier);
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
79 origin.throttle_unsolicited = lim;
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
80 end
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
81
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
82 return check_subscribed(event);
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
83 end
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
84
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
85 if s2s_max then
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
86 module:hook("message/bare", check_subscribed_s2s, 200);
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
87 module:hook("message/full", check_subscribed_s2s, 200);
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
88 end
1424aa8877f0 mod_throttle_unsolicited: Add support for throttling unsolicited messages on incoming s2s connections
Kim Alvefur <zash@zash.se>
parents: 2143
diff changeset
89
2082
163d55777ad5 mod_throttle_unsolicited: Limit rate of unsolicited messages sent to non-contacts
Kim Alvefur <zash@zash.se>
parents:
diff changeset
90 module:depends("track_muc_joins");