annotate mod_firewall/README.markdown @ 5819:bb51cf204dd4 default tip

mod_sasl_ssdp: Fix event name so legacy SASL works correctly (thanks Martin!)
author Matthew Wild <mwild1@gmail.com>
date Tue, 09 Jan 2024 13:50:18 +0000
parents ad5c77793750
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
1 ---
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
2 labels:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
3 - 'Stage-Alpha'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
4 summary: 'A rule-based stanza filtering module'
4169
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
5 rockspec:
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
6 build:
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
7 modules:
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
8 mod_firewall.actions: actions.lib.lua
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
9 mod_firewall.conditions: conditions.lib.lua
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
10 mod_firewall.definitions: definitions.lib.lua
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
11 mod_firewall.marks: marks.lib.lua
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
12 mod_firewall.test: test.lib.lua
5522
e8f46195b292 mod_firewall: Include scripts with plugin installer (thanks gooya)
Kim Alvefur <zash@zash.se>
parents: 5235
diff changeset
13 copy_directories:
e8f46195b292 mod_firewall: Include scripts with plugin installer (thanks gooya)
Kim Alvefur <zash@zash.se>
parents: 5235
diff changeset
14 - scripts
4169
ae738969f38a mod_firewall: Add packaging metadata to include libraries
Kim Alvefur <zash@zash.se>
parents: 4152
diff changeset
15 ---
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
16
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
17 ------------------------------------------------------------------------
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
19 **Note:** mod\_firewall is in its very early stages. This documentation
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
20 is liable to change, and some described functionality may be missing,
2375
7ad312b4cefe mod_firewall/README: Remove mention of comments section from google code
Kim Alvefur <zash@zash.se>
parents: 2370
diff changeset
21 incomplete or contain bugs.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
23 ------------------------------------------------------------------------
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
25 Introduction
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
26 ============
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
28 A firewall is an invaluable tool in the sysadmin's toolbox. However
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
29 while low-level firewalls such as iptables and pf are incredibly good at
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
30 what they do, they are generally not able to handle application-layer
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
31 rules.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
33 The goal of mod\_firewall is to provide similar services at the XMPP
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
34 layer. Based on rule scripts it can efficiently block, bounce, drop,
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
35 forward, copy, redirect stanzas and more! Furthermore all rules can be
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
36 applied and updated dynamically at runtime without restarting the
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
37 server.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
39 Details
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
40 =======
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
42 mod\_firewall loads one or more scripts, and compiles these to Lua code
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
43 that reacts to stanzas flowing through Prosody. The firewall script
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
44 syntax is unusual, but straightforward.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
46 A firewall script is dominated by rules. Each rule has two parts:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
47 conditions, and actions. When a stanza matches all of the conditions,
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
48 all of the actions are executed in order.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 Here is a simple example to block stanzas from spammer@example.com:
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
52 FROM: spammer@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
53 DROP.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
55 FROM is a condition, and DROP is an action. This is about as simple as
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
56 it gets. How about heading to the other extreme? Let's demonstrate
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
57 something more complex that mod\_firewall can do for you:
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
59 %ZONE myorganisation: staff.myorg.example, support.myorg.example
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
61 ENTERING: myorganisation
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
62 KIND: message
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
63 TIME: 12am-9am, 5pm-12am, Saturday, Sunday
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
64 REPLY=Sorry, I am afraid our office is closed at the moment. If you need assistance, please call our 24-hour support line on 123-456-789.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
66 This rule will reply with a short message whenever someone tries to send
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
67 a message to someone at any of the hosts defined in the 'myorganisation'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
68 outside of office hours.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69
2387
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
70 Specifying rule sets
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
71 --------------------
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
72
2387
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
73 Firewall rules should be written into text files, e.g. `ruleset.pfw` file.
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
74 One or more rule files can be specified in the configuration using:
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
75
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
76 firewall_scripts = { "path/to/ruleset.pfw", "path/to/ruleset2.pfw" }
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
77
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
78 If multiple files are specified and they both add rules to the same [chains](#chains),
2387
5bfb2ccab2ab mod_firewall: README: Add more info about specifying rule set files
Matthew Wild <mwild1@gmail.com>
parents: 2375
diff changeset
79 each file's rules will be processed in order, but the order of files is undefined.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80
4152
87daef9ed4e7 Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents: 4127
diff changeset
81 Reloading Prosody's configuration also reloads firewall rules.
87daef9ed4e7 Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents: 4127
diff changeset
82
87daef9ed4e7 Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents: 4127
diff changeset
83 Make sure that `firewall_scripts` is in the global section of the configuration file
87daef9ed4e7 Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents: 4127
diff changeset
84 and not below a virtual host or a component - unless you want per-vhost
87daef9ed4e7 Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents: 4127
diff changeset
85 firewall rules.
87daef9ed4e7 Improve mod_firewall readme
Christian Weiske <cweiske@cweiske.de>
parents: 4127
diff changeset
86
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
87 Conditions
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
88 ----------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
89
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
90 All conditions must come before any action in a rule block. The
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
91 condition name is followed by a colon (':'), and the value to test for.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
92
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
93 A condition can be preceded or followed by `NOT` to negate its match.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
94 For example:
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
95
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
96 NOT FROM: user@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
97 KIND NOT: message
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
98
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
99 Some conditions do not take parameters, and these should end with just a
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
100 question mark, like:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
101
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
102 IN ROSTER?
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
103
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
104 ### Zones
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
105
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
106 A 'zone' is one or more hosts or JIDs. It is possible to match when a
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
107 stanza is entering or leaving a zone, while at the same time not
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
108 matching traffic passing between JIDs in the same zone.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
109
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
110 Zones are defined at the top of a script with the following syntax (they
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
111 are not part of a rule block):
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
112
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
113 %ZONE myzone: host1, host2, user@host3, foo.bar.example
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
114
2388
b6d59998dba7 mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents: 2387
diff changeset
115 There is an automatic zone named `$local`, which automatically includes
b6d59998dba7 mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents: 2387
diff changeset
116 all of the current server's active hosts (including components). It can
b6d59998dba7 mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents: 2387
diff changeset
117 be used to match stanzas entering or leaving the current server.
b6d59998dba7 mod_firewall: README: Document dynamic '$local' zone
Matthew Wild <mwild1@gmail.com>
parents: 2387
diff changeset
118
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
119 A host listed in a zone also matches all users on that host (but not
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
120 subdomains).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
121
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
122 The following zone-matching conditions are supported:
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
123
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
124 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
125 ------------ ------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
126 `ENTERING` When a stanza is entering the named zone
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
127 `LEAVING` When a stanza is leaving the named zone
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
128
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
129 ### Lists
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
130
4583
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
131 It is possible to create or load lists of strings for use in scripts. For
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
132 example, you might load a list of blocked JIDs, malware URLs or simple words
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
133 that you want to filter messages on.
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
134
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
135 List type Example
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
136 ----------- -----------------------
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
137 memory %LIST spammers: memory
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
138 file %LIST spammers: file:/etc/spammers.txt
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
139 http %LIST spammers: http://example.com/spammers.txt
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
140
4126
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
141 #### List types
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
142 ##### memory
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
143
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
144 ```
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
145 %LIST name: memory (limit: number)
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
146 ```
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
147
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
148 A memory-only list, with an optional limit. Supports addition and removal of items by scripts.
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
149
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
150 If a limit is provided, the oldest item will be discarded to make room for a new item if the
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
151 list is full. The limit is useful to prevent infinite memory growth on busy servers.
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
152
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
153 ##### file
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
154
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
155 ```
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
156 %LIST name: file:/path/to/file (missing: string)
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
157 ```
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
158
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
159 Reads a list from a file. The list can be added to and removed from by scripts, but
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
160 these changes do not persist between restarts.
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
161
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
162 If the file is missing, an error will be raised. The optional 'missing' parameter can be set
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
163 to 'ignore' (e.g. `(missing: ignore)`) to ignore a missing file.
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
164
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
165 ##### http
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
166
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
167 ```
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
168 %LIST name: http://example.com/ (ttl: number, pattern: pat, hash: sha1, checkcerts: when-sni)
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
169 ```
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
170
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
171 Fetches a list from a HTTP or HTTPS URL. The following options are accepted:
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
172
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
173 Option Description
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
174 ------- -----------
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
175 ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour).
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
176 pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item.
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
177 hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256.
4127
e9e10ec1b91c mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents: 4126
diff changeset
178 checkcert Whether to verify HTTPS certificates. May be "always", "never" or "when-sni". Default "when-sni".
e9e10ec1b91c mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents: 4126
diff changeset
179
e9e10ec1b91c mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents: 4126
diff changeset
180 The "when-sni" default disables certificate verification when Prosody's HTTP client API doesn't support SNI,
e9e10ec1b91c mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
Matthew Wild <mwild1@gmail.com>
parents: 4126
diff changeset
181 as in Prosody 0.11.6 and earlier.
4126
68ceb7e0cfe6 mod_firewall: Add docs for list types and parameters
Matthew Wild <mwild1@gmail.com>
parents: 4072
diff changeset
182
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
183 #### CHECK LIST
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
184
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
185 Checks whether a simple [expression](#expressions) is found in a given list.
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
186
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
187 Example:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
188
4583
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
189 %LIST blocked_jids: file:/etc/prosody/blocked_jids.txt
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
190
4583
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
191 # Rule to block presence subscription requests from blocked JIDs
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
192 KIND: presence
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
193 TYPE: subscribe
4583
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
194 CHECK LIST: blocked_jids contains $<@from>
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
195 BOUNCE=policy-violation (Your JID is blocked)
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
196
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
197 #### SCAN
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
198
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
199 SCAN allows you to search inside a stanza for a given pattern, and check each result against a list. For example,
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
200 you could scan a message body for words and check if any of the words are found in a given list.
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
201
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
202 Before using SCAN, you need to define a search location and a pattern. The search location uses the same 'path'
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
203 format as documented under the 'INSPECT' condition. Patterns can be any valid Lua pattern.
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
204
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
205 To use the above example:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
206
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
207 # Define a search location called 'body' which fetches the text of the 'body' element
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
208 %SEARCH body: body#
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
209 # Define a pattern called 'word' which matches any sequence of letters
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
210 %PATTERN word: [A-Za-z]+
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
211 # Finally, we also need our list of "bad" words:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
212 %LIST badwords: file:/etc/prosody/bad_words.txt
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
213
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
214 # Now we can use these to SCAN incoming stanzas
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
215 # If it finds a match, bounce the stanza
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
216 SCAN: body for word in badwords
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
217 BOUNCE=policy-violation (This word is not allowed!)
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
218
2545
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
219 #### COUNT
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
220
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
221 COUNT is similar to SCAN, in that it uses a defined SEARCH and breaks it up according to a PATTERN. Then it
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
222 counts the number of results.
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
223
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
224 For example, to block every message with more than one URL:
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
225
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
226 # Define a search location called 'body' which fetches the text of the 'body' element
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
227 %SEARCH body: body#
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
228 # Define a pattern called 'url' which matches HTTP links
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
229 %PATTERN url: https?://%S+
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
230
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
231 COUNT: url in body > 1
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
232 BOUNCE=policy-violation (Up to one HTTP URL is allowed in messages)
9b46d24edf0d mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents: 2540
diff changeset
233
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
234 ### Stanza matching
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
235
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
236 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
237 ----------- ------------------------------------------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
238 `KIND` The kind of stanza. May be 'message', 'presence' or 'iq'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
239 `TYPE` The type of stanza. This varies depending on the kind of stanza. See 'Stanza types' below for more information.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
240 `PAYLOAD` The stanza contains a child with the given namespace. Useful for determining the type of an iq request, or whether a message contains a certain extension.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
241 `INSPECT` The node at the specified path exists or matches a given string. This allows you to look anywhere inside a stanza. See below for examples and more.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
242
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
243 #### Stanza types
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
244
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
245 Stanza Valid types
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
246 ---------- ------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
247 iq get, set, result, error
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
248 presence *available*, unavailable, probe, subscribe, subscribed, unsubscribe, unsubscribed, error
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
249 message normal, chat, groupchat, headline, error
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
250
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
251 **Note:** The type 'available' for presence does not actually appear in
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
252 the protocol. Available presence is signalled by the omission of a type.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
253 Similarly, a message stanza with no type is equivalent to one of type
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
254 'normal'. mod\_firewall handles these cases for you automatically.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
255
5703
0ac4545cb4f9 mod_firewall: Tweak page outline
Kim Alvefur <zash@zash.se>
parents: 5530
diff changeset
256 #### Sender/recipient matching
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
257
5530
8226ac08484e mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents: 5529
diff changeset
258 Condition Matches
8226ac08484e mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents: 5529
diff changeset
259 --------------- -------------------------------------------------------
8226ac08484e mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents: 5529
diff changeset
260 `FROM` The JID in the 'from' attribute matches the given JID.
8226ac08484e mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents: 5529
diff changeset
261 `TO` The JID in the 'to' attribute matches the given JID.
8226ac08484e mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents: 5529
diff changeset
262 `TO SELF` The stanza is sent by any of a user's resources to their own bare JID.
8226ac08484e mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents: 5529
diff changeset
263 `TO FULL JID` The stanza is addressed to a **valid** full JID on the local server (full JIDs include a resource at the end, and only exist for the lifetime of a single session, therefore the recipient **must be online**, or this check will not match).
8226ac08484e mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com>
parents: 5529
diff changeset
264 `FROM FULL JID` The stanza is from a full JID (unlike `TO FULL JID` this check is on the format of the JID only).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
265
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
266 The TO and FROM conditions both accept wildcards in the JID when it is
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
267 enclosed in angle brackets ('\<...\>'). For example:
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
268
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
269 # All users at example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
270 FROM: <*>@example.com
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
271
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
272 # The user 'admin' on any subdomain of example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
273 FROM: admin@<*.example.com>
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
274
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
275 You can also use [Lua's pattern
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
276 matching](http://www.lua.org/manual/5.1/manual.html#5.4.1) for more
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
277 powerful matching abilities. Patterns are a lightweight
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
278 regular-expression alternative. Simply contain the pattern in double
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
279 angle brackets. The pattern is automatically anchored at the start and
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
280 end (so it must match the entire portion of the JID).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
281
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
282 # Match admin@example.com, and admin1@example.com, etc.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
283 FROM: <<admin%d*>>@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
284
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
285 **Note:** It is important to know that 'example.com' is a valid JID on
4583
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
286 its own, and does **not** match 'user@example.com'. To efficiently match
bb8459c220c9 mod_firewall: Documentation updates to reduce confusion and use inclusive language
Matthew Wild <mwild1@gmail.com>
parents: 4236
diff changeset
287 domains we recommend defining them as [Zones](#zones).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
288
2047
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
289 Condition Matches
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
290 ---------------- ---------------------------------------------------------------
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
291 `FROM_EXACTLY` The JID in the 'from' attribute exactly matches the given JID
2ec7c0b8a371 mod_firewall/README: Fix table
Kim Alvefur <zash@zash.se>
parents: 2036
diff changeset
292 `TO_EXACTLY` The JID in the 'to' attribute exactly matches the given JID
2036
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
293
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
294 These additional conditions do not support pattern matching, but are
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
295 useful to match the exact to/from address on a stanza. For example, if
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
296 no resource is specified then only bare JIDs will be matched. TO and FROM
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
297 match all resources if no resource is specified to match.
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents: 2002
diff changeset
298
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
299 **Note:** Some chains execute before Prosody has performed any
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
300 normalisation or validity checks on the to/from JIDs on an incoming
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
301 stanza. It is not advisable to perform access control or similar rules
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
302 on JIDs in these chains (see the [chain documentation](#chains) for more info).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
303
5704
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
304 #### GeoIP matching
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
305
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
306 Condition Matches
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
307 ---------------- --------------------------------------------------------------
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
308 `FROM COUNTRY` Two or three letter country code looked up in GeoIP database
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
309
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
310 This condition uses a GeoIP database to look up the origin country of
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
311 the IP attached to the current session.
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
312
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
313 For example:
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
314
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
315 # 3 letter country code
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
316 FROM COUNTRY: SWE
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
317
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
318 # or 2 letter
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
319 FROM COUNTRY: SE
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
320
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
321 # Explicit
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
322 FROM COUNTRY: code=SE
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
323 FROM COUNTRY: code3=SWE
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
324
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
325 **Note:** This requires that the `lua-geoip` and `geoip-database`
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
326 packages are installed (on Debian, package names may differ on other
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
327 operating systems).
ad5c77793750 mod_firewall: Add FROM COUNTRY condition based on GeoIP DB
Kim Alvefur <zash@zash.se>
parents: 5703
diff changeset
328
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
329 #### INSPECT
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
330
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
331 INSPECT takes a 'path' through the stanza to get a string (an attribute
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
332 value or text content). An example is the best way to explain. Let's
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
333 check that a user is not trying to register an account with the username
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
334 'admin'. This stanza comes from [XEP-0077: In-band
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
335 Registration](http://xmpp.org/extensions/xep-0077.html#example-4):
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
336
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
337 ``` xml
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
338 <iq type='set' id='reg2'>
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
339 <query xmlns='jabber:iq:register'>
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
340 <username>bill</username>
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
341 <password>Calliope</password>
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
342 <email>bard@shakespeare.lit</email>
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
343 </query>
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
344 </iq>
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
345 ```
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
346
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
347 KIND: iq
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
348 TYPE: set
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
349 PAYLOAD: jabber:iq:register
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
350 INSPECT: {jabber:iq:register}query/username#=admin
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
351 BOUNCE=not-allowed (The username 'admin' is reserved.)
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
352
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
353 That weird string deserves some explanation. It is a path, divided into
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
354 segments by '/'. Each segment describes an element by its name,
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
355 optionally prefixed by its namespace in curly braces ('{...}'). If the
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
356 path ends with a '\#' then the text content of the last element will be
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
357 returned. If the path ends with '@name' then the value of the attribute
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
358 'name' will be returned.
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
359
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
360 You can use INSPECT to test for the existence of an element or attribute,
4235
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
361 or you can check if it matches a specific value, e.g. by appending `=VALUE`
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
362 (like in the example above, that checks if the content of username is 'admin').
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
363
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
364 #### INSPECT comparison operators
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
365
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
366 As well as checking for an exact string match, there are some other modifiers
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
367 you can apply to the comparison:
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
368
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
369 Comparison Matches when
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
370 ------------- -------------------------------------------------------
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
371 `=` The value is exactly the given string.
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
372 `/=` The value is or *contains* the given string (e.g. `/=admin` would match `administrator` or `myadmin`).
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
373 `~=` The value matches the given [Lua pattern](https://www.lua.org/manual/5.2/manual.html#6.4.1).
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
374
4235
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
375 Finally, if the comparison operator is preceded by a `$` character, [expressions](#expressions)
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
376 will be interpreted in the string following the comparison operator.
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
377
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
378 e.g. `INSPECT: {jabber:iq:register}query/username}$/=$(session.host)` would match
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
379 if the username of an account registration contained the session's current hostname
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
380 somewhere in it.
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
381
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
382 #### INSPECT performance
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
383
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
384 INSPECT can be somewhat slower than the other stanza matching conditions. To
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
385 minimise performance impact, always place it below other faster
4235
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
386 condition checks where possible (e.g. in the example above we first checked KIND,
45606c9f529a mod_firewall: Improve 'INSPECT' comparison operator documentation
Matthew Wild <mwild1@gmail.com>
parents: 4169
diff changeset
387 TYPE and PAYLOAD matched what we wanted before reaching the INSPECT rule).
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
388
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
389 ### Roster
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
390
4966
4ffd6551f4bb mod_firewall: README: Clarify when storage access can occur with roster checks
Matthew Wild <mwild1@gmail.com>
parents: 4965
diff changeset
391 These conditions access the roster of the recipient (only). Therefore they cannot (currently)
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
392 be used in some [chains](#chains), such as for outgoing messages (the recipient may be on another server).
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
393
4966
4ffd6551f4bb mod_firewall: README: Clarify when storage access can occur with roster checks
Matthew Wild <mwild1@gmail.com>
parents: 4965
diff changeset
394 Performance note: these checks can potentially cause storage access (especially if the recipient
4967
1e8381f0d0a8 mod_firewall: README: Fix grammar and further improve wording
Matthew Wild <mwild1@gmail.com>
parents: 4966
diff changeset
395 is currently offline), so you may want to limit their use in high-traffic situations, and place rules
4966
4ffd6551f4bb mod_firewall: README: Clarify when storage access can occur with roster checks
Matthew Wild <mwild1@gmail.com>
parents: 4965
diff changeset
396 containing a roster check below other rules (such as a rate limiter). The storage access is
4967
1e8381f0d0a8 mod_firewall: README: Fix grammar and further improve wording
Matthew Wild <mwild1@gmail.com>
parents: 4966
diff changeset
397 performed unconditionally just before evaluation of the first rule that contains a roster-based
1e8381f0d0a8 mod_firewall: README: Fix grammar and further improve wording
Matthew Wild <mwild1@gmail.com>
parents: 4966
diff changeset
398 condition, even if earlier conditions in that rule do not match.
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
399
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
400 #### IN ROSTER
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
401
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
402 Tests whether the sender is in the recipient's roster.
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
403
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
404 IN ROSTER?
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
405
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
406 #### IN ROSTER GROUP
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
407
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
408 Tests whether the sender is in the recipient's roster, and in the named group.
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
409
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
410 IN ROSTER GROUP: Friends
2342
6848297cf40a mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents: 2114
diff changeset
411
2410
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
412 #### SUBSCRIBED
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
413
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
414 Tests whether the recipient is subscribed to the sender, ie will receive
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
415 presence updates from them.
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
416
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
417 Note that this *does* work, regardless of direction and which [chain](#chain) is
2410
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
418 used, since both the sender and the recipient will have mirrored roster
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
419 entries.
898e70e85185 mod_firewall/README: Document SUBSCRIBED
Kim Alvefur <zash@zash.se>
parents: 2390
diff changeset
420
2390
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
421 ### Groups
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
422
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
423 Using Prosody's mod\_groups it is possible to define groups of users on the server. You can
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
424 match based on these groups in firewall rules.
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
425
2594
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
426 Condition Matches
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
427 ----------------- ----------------------------
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
428 `FROM GROUP` When the stanza is being sent from a member of the named group
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
429 `TO GROUP` When the stanza is being sent to a member of the named group
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
430 `CROSSING GROUPS` When the stanza is being sent between users of different named groups
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
431
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
432 #### CROSSING GROUPS
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
433
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
434 The `CROSSING GROUPS` condition takes a comma-separated list of groups to check. If the
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
435 sender and recipient are not in the same group (only the listed groups are checked), then the
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
436 this condition matches and the stanza is deemed to be crossing between groups.
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
437
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
438 For example, if you had three groups: Engineering, Marketing and Employees. All users are
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
439 members of the 'Employees' group, and the others are for employees of the named department only.
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
440
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
441 To prevent employees in the marketing department from communicating with engineers, you could use
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
442 the following rule:
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
443
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
444 ```
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
445 CROSSING GROUPS: Marketing, Engineering
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
446 BOUNCE=policy-violation (no communication between these groups is allowed!)
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
447 ```
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
448
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
449 This works, even though both the users are in the 'Employees' group, because that group is not listed
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
450 in the condition.
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
451
1e1c929c1aa5 mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents: 2576
diff changeset
452 In the above example, a user who is member of both groups is not restricted.
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
453
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
454 #### SENT DIRECTED PRESENCE TO SENDER
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
455
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
456 This condition matches if the recipient of a stanza has previously sent directed presence to the sender of the stanza. This
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
457 is often done in XMPP to exchange presence information with JIDs that are not on your roster, such as MUC rooms.
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
458
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
459 This condition does not take a parameter - end the condition name with a question mark:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
460
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
461 # Rule to bounce messages from senders not in the roster who haven't been sent directed presence
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
462 NOT IN ROSTER?
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
463 NOT SENT DIRECTED PRESENCE TO SENDER?
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
464 BOUNCE=service-unavailable
2390
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
465
5002
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
466 ### Permissions
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
467
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
468 Rules can consult Prosody's internal role and permissions system to check whether a certain action may
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
469 be performed. The acting entity, their role, and appropriate context is automatically inferred. All you
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
470 need to do is provide the identifier of the permission that should be checked.
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
471
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
472 Condition Description
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
473 ----------------------- --------------------------------------------------------------------
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
474 `MAY=permission` Checks whether 'permission' is allowed in the current context.
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
475
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
476 As with all other conditions, `MAY` can be combined with `NOT` to negate the result of the check.
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
477
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
478 Example, blocking outgoing stanzas from users with roles that do not allow the 'xmpp:federate' permission:
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
479
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
480 ```
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
481 ::deliver_remote
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
482 MAY NOT: xmpp:federate
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
483 BOUNCE=policy-violation (You are not allowed access to the federation)
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
484 ```
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
485
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
486 ### Roles
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
487
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
488 Condition Matches
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
489 ---------------- -------------------------------------------------------------------------------------
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
490 `TO ROLE` When the recipient JID of the stanza has the named role
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
491 `FROM ROLE` When the sender JID of the stanza has the named role
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
492
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
493 **Note:** In most cases, you should avoid checking for specific roles, and instead check for
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
494 permissions granted by those roles (using the 'MAY' condition).
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
495
2390
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
496 ### Admins
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
497
5002
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
498 **Deprecated:** These conditions should no longer be used. Prefer 'MAY', 'TO ROLE' or 'FROM ROLE'.
84997bc3f92e mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents: 4967
diff changeset
499
2390
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
500 Prosody allows certain JIDs to be declared as administrators of a host, component or the whole server.
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
501
2576
95b79d515a65 mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents: 2559
diff changeset
502 Condition Matches
95b79d515a65 mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents: 2559
diff changeset
503 ---------------- -------------------------------------------------------------------------------------
95b79d515a65 mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents: 2559
diff changeset
504 `TO ADMIN` When the recipient of the stanza is admin of the current host
95b79d515a65 mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents: 2559
diff changeset
505 `FROM ADMIN` When the sender of the stanza is admin of the current host
95b79d515a65 mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents: 2559
diff changeset
506 `FROM ADMIN OF` When the sender of the stanza is an admin of the named host on the current server
95b79d515a65 mod_firewall: README: Document TO/FROM ADMIN, FORWARD, TO SELF and TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents: 2559
diff changeset
507 `TO ADMIN OF` When the recipient of the stanza is an admin of the named host on the current server
2390
28fbe960adcf mod_firewall: README: Document conditions for groups and admins
Matthew Wild <mwild1@gmail.com>
parents: 2389
diff changeset
508
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
509 ### Time and date
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
510
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
511 #### TIME
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
512
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
513 Matches stanzas sent during certain time periods.
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
514
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
515 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
516 ----------- -------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
517 TIME When the current server local time is within one of the comma-separated time ranges given
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
518
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
519 TIME: 10pm-6am, 14:00-15:00
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
520 REPLY=Zzzz.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
521
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
522 #### DAY
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
523
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
524 It is also possible to match only on certain days of the week.
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
525
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
526 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
527 ----------- -----------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
528 DAY When the current day matches one, or falls within a rage, in the given comma-separated list of days
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
529
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
530 Example:
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
531
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
532 DAY: Sat-Sun, Wednesday
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
533 REPLY=Sorry, I'm out enjoying life!
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
534
2102
2c225b4b93d2 mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents: 2096
diff changeset
535 All times and dates are handled in the server's local time.
2c225b4b93d2 mod_firewall: README: Add note about time functions using server's local time
Matthew Wild <mwild1@gmail.com>
parents: 2096
diff changeset
536
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
537 ### Rate-limiting
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
538
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
539 It is possible to selectively rate-limit stanzas, and use rules to
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
540 decide what to do with stanzas when over the limit.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
541
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
542 First, you must define any rate limits that you are going to use in your
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
543 script. Here we create a limiter called 'normal' that will allow 2
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
544 stanzas per second, and then we define a rule to bounce messages when
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
545 over this limit. Note that the `RATE` definition is not part of a rule
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
546 (multiple rules can share the same limiter).
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
547
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
548 %RATE normal: 2 (burst 3)
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
549
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
550 KIND: message
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
551 LIMIT: normal
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
552 BOUNCE=policy-violation (Sending too fast!)
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
553
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
554 The 'burst' parameter on the rate limit allows you to spread the limit
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
555 check over a given time period. For example the definition shown above
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
556 will allow the limit to be temporarily surpassed, as long as it is
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
557 within the limit after 3 seconds. You will almost always want to specify
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
558 a burst factor.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
559
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
560 Both the rate and the burst can be fractional values. For example a rate
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
561 of 0.1 means only one event is allowed every 10 seconds.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
562
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
563 The LIMIT condition actually does two things; first it counts against
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
564 the given limiter, and then it checks to see if the limiter over its
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
565 limit yet. If it is, the condition matches, otherwise it will not.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
566
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
567 Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
568 ----------- --------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
569 `LIMIT` When the named limit is 'used up'. Using this condition automatically counts against that limit.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
570
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
571 **Note:** Reloading mod\_firewall resets the current state of any
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
572 limiters.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
573
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
574 #### Dynamic limits
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
575
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
576 Sometimes you may want to have multiple throttles in a single condition, using some property of the session or stanza
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
577 to determine which throttle to use. For example, you might have a limit for incoming stanzas, but you want to limit by
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
578 sending JID, instead of all incoming stanzas sharing the same limit.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
579
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
580 You can use the 'on' keyword for this, like so:
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
581
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
582 LIMIT: normal on EXPRESSION
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
583
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
584 For more information on [expressions](#expressions), see the section later in this document.
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
585
2370
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
586 Each value of 'EXPRESSION' has to be tracked individually in a table, which uses a small amount of memory. To prevent
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
587 memory exhaustion, the number of tracked values is limited to 1000 by default. You can override this by setting the
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
588 maximum number of table entries when you define the rate:
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
589
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
590 %RATE normal: 2 (burst 3) (entries 4096)
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
591
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
592 Old values are automatically removed from the tracking table. However if the tracking table becomes full, new entries
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
593 will be rejected - it will behave as if the rate limit was reached, even for values that have not been seen before. Since
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
594 this opens up a potential denial of service (innocent users may be affected if malicious users can fill up the tracking
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
595 table within the limit period). You can choose to instead "fail open", and allow the rate limit to be temporarily bypassed
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
596 when the table is full. To choose this behaviour, add `(allow overflow)` to the RATE definition.
5fe483b73fd2 mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
Matthew Wild <mwild1@gmail.com>
parents: 2369
diff changeset
597
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
598 ### Session marking
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
599
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
600 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
601 `ORIGIN_MARKED` condition.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
602
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
603 Condition Description
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
604 ------------------------------- ---------------------------------------------------------------
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
605 ORIGIN MARKED: markname Matches if the origin has been marked with 'markname'.
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
606 ORIGIN MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds.
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
607
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
608 Example usage:
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
609
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
610 # This rule drops messages from sessions that have been marked as spammers in the past hour
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
611 ORIGIN MARKED: spammer (3600s)
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
612 DROP.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
613
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
614 # This rule marks the origin session as a spammer if they send a message to a honeypot JID
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
615 KIND: message
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
616 TO: honeypot@example.com
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
617 MARK ORIGIN=spammer
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
618
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
619 Actions
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
620 -------
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
621
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
622 Actions come after all conditions in a rule block. There must be at
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
623 least one action, though conditions are optional.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
624
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
625 An action without parameters ends with a full-stop/period ('.'), and one
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
626 with parameters uses an equals sign ('='):
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
627
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
628 # An action with no parameters:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
629 DROP.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
630
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
631 # An action with a parameter:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
632 REPLY=Hello, this is a reply.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
633
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
634 ### Route modification
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
635
5234
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
636 The following common actions modify the stanza's route in some way. These
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
637 rules will halt further processing of the stanza - no further actions will be
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
638 executed, and no further rules will be checked.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
639
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
640 Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
641 ----------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------
2559
99b32f77f00d mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents: 2545
diff changeset
642 `PASS.` Stop executing actions and rules on this stanza, and let it through this chain and any calling chains.
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
643 `DROP.` Stop executing actions and rules on this stanza, and discard it.
2559
99b32f77f00d mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents: 2545
diff changeset
644 `DEFAULT.` Stop executing actions and rules on this stanza, prevent any other scripts/modules from handling it, to trigger the appropriate default "unhandled stanza" behaviour. Do not use in custom chains (it is treated as PASS).
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
645 `REDIRECT=jid` Redirect the stanza to the given JID.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
646 `BOUNCE.` Bounce the stanza with the default error (usually service-unavailable)
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
647 `BOUNCE=error` Bounce the stanza with the given error (MUST be a defined XMPP stanza error, see [RFC6120](http://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions).
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
648 `BOUNCE=error (text)` As above, but include the supplied human-readable text with a description of the error
5234
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
649
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
650 **Note:** It is incorrect behaviour to reply to an 'error' stanza with another error, so BOUNCE will simply act the same as 'DROP' for stanzas that should not be bounced (error stanzas and iq results).
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
651
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
652 ### Replying and forwarding
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
653
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
654 These actions cause a new stanza to be generated and sent somewhere.
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
655 Processing of the original stanza will continue beyond these actions.
f6c71d9d6dc0 mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com>
parents: 5002
diff changeset
656
5235
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
657 Action Description
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
658 ------------------------ ---------------------------------------------------------------------------------------------------------------------------------------------------------
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
659 `REPLY=text` Reply to the stanza (assumed to be a message) with the given text.
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
660 `COPY=jid` Make a copy of the stanza and send the copy to the specified JID. The copied stanza flows through Prosody's routing code, and as such is affected by firewall rules. Be careful to avoid loops.
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
661 `FORWARD=jid` Forward a copy of the stanza to the given JID (using XEP-0297). The stanza will be sent from the current host's JID.
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
662
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
663 ### Reporting
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
664
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
665 Action Description
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
666 ------------------------ ---------------------------------------------------------------------------------------------------------------------------------------------------------
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
667 `REPORT=jid reason text` Forwards the full stanza to `jid` with a XEP-0377 abuse report attached.
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
668
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
669 Only the `jid` is mandatory. The `reason` parameter should be either `abuse`, `spam` or a custom URI. If not specified, it defaults to `abuse`.
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
670 After the reason, some human-readable text may be included to explain the report.
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
671
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
672 Example:
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
673
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
674 ```
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
675 KIND: message
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
676 TO: honeypot@example.com
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
677 REPORT TO=antispam.example.com spam Caught by the honeypot!
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
678 DROP.
d0d251abf595 mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com>
parents: 5234
diff changeset
679 ```
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
680
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
681 ### Stanza modification
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
682
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
683 These actions make it possible to modify the content and structure of a
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
684 stanza.
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
685
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
686 Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
687 ------------------------ ------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
688 `STRIP=name` Remove any child elements with the given name in the default namespace
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
689 `STRIP=name namespace` Remove any child elements with the given name and the given namespace
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
690 `INJECT=xml` Inject the given XML into the stanza as a child element
1782
29f3d6b7ad16 Import wiki pages
Kim Alvefur <zash@zash.se>
parents:
diff changeset
691
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
692 ### Sessions
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
693
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
694 It is possible to mark sessions, and then use these marks to match rules later on.
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
695
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
696 Action Description
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
697 ------------------------ --------------------------------------------------------------------------
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
698 `MARK ORIGIN=mark` Marks the originating session with the given flag.
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
699 `UNMARK ORIGIN=mark` Removes the given mark from the origin session (if it is set).
2108
573fe9825fba mod_firewall: README: Document session marking
Matthew Wild <mwild1@gmail.com>
parents: 2105
diff changeset
700
2114
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
701 **Note:** Marks apply to sessions, not JIDs. E.g. if marking in a rule that matches a stanza received
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
702 over s2s, it is the s2s session that is marked.
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
703
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
704 It is possible to have multiple marks on an origin at any given time.
ce3dd93f30d9 mod_firewall: README: Note about marks applying to sessions, not JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2111
diff changeset
705
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
706 ### Informational
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
707
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
708 Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
709 --------------- ------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents: 1782
diff changeset
710 `LOG=message` Logs the given message to Prosody's log file. Optionally prefix it with a log level in square brackets, e.g. `[debug]`
2093
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
711
4236
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
712 You can include [expressions](#expressions) in log messages, using `$(...)` syntax. For example, to log the stanza that matched the rule,
c316ad1087d4 mod_firewall: Some additional documentation improvements, particularly adding section links where needed
Matthew Wild <mwild1@gmail.com>
parents: 4235
diff changeset
713 you can use `$(stanza)`, or to log just the top tag of the stanza, use `$(stanza:top_tag())`. To fetch the sender JID, use `$(stanza.attr.from)`.
2093
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
714
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
715 Example:
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
716
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
717 # Log all stanzas to user@example.com:
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
718 TO: user@example.com
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
719 LOG=[debug] User received: $(stanza)
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions
Matthew Wild <mwild1@gmail.com>
parents: 2092
diff changeset
720
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
721 More info about expressions can be found below.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
722
2096
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
723 Chains
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
724 ------
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
725
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
726 Rules are grouped into "chains", which are injected at particular points in Prosody's routing code.
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
727
2559
99b32f77f00d mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents: 2545
diff changeset
728 Available built-in chains are:
2096
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
729
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
730 Chain Description
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
731 -------------- -------------------------------------------------------------------------------------------
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
732 deliver Applies to stanzas delivered to local recipients (regardless of the stanza's origin)
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
733 deliver_remote Applies to stanzas delivered to remote recipients (just before they leave the local server)
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
734 preroute Applies to incoming stanzas from local users, before any routing rules are applied
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
735
2111
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
736 A chain is begun by a line `::name` where 'name' is the name of the chain you want the following rules to be
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
737 inserted into. If no chain is specified, rules are put into the 'deliver' chain.
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
738
4965
d7684aa81d8f mod_firewall: README: Correct mention of 'JUMP_CHAIN' to 'JUMP CHAIN'
Matthew Wild <mwild1@gmail.com>
parents: 4583
diff changeset
739 It is possible to create custom chains (useful with the `JUMP CHAIN` action described below). User-created
2111
4e434abaf8fc mod_firewall: README: Improve chain documentation
Matthew Wild <mwild1@gmail.com>
parents: 2110
diff changeset
740 chains must begin with "user/", e.g. "user/spam_filtering".
2096
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
741
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
742 Example of chain use:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
743
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
744 # example.com's firewall script
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
745
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
746 # This line is optional, because 'deliver' is the default chain anyway:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
747 ::deliver
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
748
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
749 # This rule matches any stanzas delivered to our local user bob:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
750 TO: bob@example.com
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
751 DROP.
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
752
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
753 # Oops! This rule will never match, because alice is not a local user,
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
754 # and only stanzas to local users go through the 'deliver' chain:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
755 TO: alice@remote.example.com
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
756 DROP.
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
757
2104
384fb28452b9 mod_firewall: README: Improve chain usage example comments
Matthew Wild <mwild1@gmail.com>
parents: 2103
diff changeset
758 # Create a 'preroute' chain of rules (matched for incoming stanzas from local clients):
2096
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
759 ::preroute
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
760 # These rules are matched for outgoing stanzas from local clients
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
761
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
762 # This will match any stanzas sent to alice from a local user:
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
763 TO: alice@remote.example.com
b75d29a162cd mod_firewall: README: Document chains
Matthew Wild <mwild1@gmail.com>
parents: 2095
diff changeset
764 DROP.
2105
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents: 2104
diff changeset
765
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents: 2104
diff changeset
766 Action Description
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN
Matthew Wild <mwild1@gmail.com>
parents: 2104
diff changeset
767 ------------------------ ------------------------------------------------------------------------
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
768 `JUMP CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing.
2559
99b32f77f00d mod_firewall: Document PASS, RETURN and DEFAULT
Matthew Wild <mwild1@gmail.com>
parents: 2545
diff changeset
769 `RETURN.` Stops executing the current chain and returns to the parent chain. For built-in chains, equivalent to PASS. RETURN is implicit at the end of every chain.
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
770
2389
a753b21968c5 mod_firewall: README: Clarify that it's possible to jump to chains defined outside of the current file
Matthew Wild <mwild1@gmail.com>
parents: 2388
diff changeset
771 It is possible to jump to chains defined by other scripts and modules.
a753b21968c5 mod_firewall: README: Clarify that it's possible to jump to chains defined outside of the current file
Matthew Wild <mwild1@gmail.com>
parents: 2388
diff changeset
772
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
773 Expressions
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
774 -----------
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
775
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
776 Some conditions and actions in rules support "expressions" in their parameters (their documentation will indicate if this is the case). Most parameters
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
777 are static once the firewall script is loaded and compiled internally, however parameters that allow expressions can be dynamically calculated when a
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
778 rule is being run.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
779
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
780 There are two kinds of expression that you can use: stanza expressions, and code expressions.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
781
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
782 ### Stanza expressions
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
783
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
784 Stanza expressions are of the form `$<...>`, where `...` is a stanza path. For syntax of stanza paths, see the documentation for the 'INSPECT' condition
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
785 above.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
786
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
787 Example:
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
788
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
789 LOG=Matched a stanza from $<@from> to $<@to>
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
790
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
791 There are built in functions which can be applied to the output of a stanza expression, by appending the pipe ('|') operator, followed by the function
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
792 name. These functions are:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
793
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
794 Function Description
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
795 ------------ ---------------------------------------
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
796 bare Given a JID, strip any resource
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
797 node Return the node ('user part') of a JID
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
798 host Return the host ('domain') part of a JID
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
799 resource Return the resource part of a JID
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
800
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
801 For example, to apply a rate limit to stanzas per sender domain:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
802
4072
2dcbc01c9931 mod_firewall: Fix example in README to use |host (thanks DebXWoody)
Matthew Wild <mwild1@gmail.com>
parents: 3197
diff changeset
803 LIMIT normal on $<@from|host>
2540
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
804
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
805 If the path does not match (e.g. the element isn't found, or the attribute doesn't exist) or any of the functions fail to produce an output (e.g. an invalid
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
806 JID was passed to a function that only handles valid JIDs) the expression will return the text `<undefined>`. You can override this by ending the expression
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
807 with a double pipe ('||') followed by a quoted string to use as a default instead. E.g. to default to the string "normal" when there is no 'type' attribute:
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
808
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
809 LOG=Stanza type is $<@type||"normal">
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
810
d637bc0ac604 mod_firewall: Update README for latest changes
Matthew Wild <mwild1@gmail.com>
parents: 2410
diff changeset
811 ### Code expressions
2369
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
812
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
813 Code expressions use `$(...)` syntax. Code expressions are powerful, and allow unconstrained access to Prosody's internal environment. Therefore
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
814 code expressions are typically for advanced use-cases only. You may want to refer to Prosody's [developer documentation](https://prosody.im/doc/developers)
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
815 for more information. In particular, within code expressions you may access the 'session' object, which is the session object of the origin of the stanza,
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
816 and the 'stanza' object, which is the stanza being considered within the current rule. Whatever value the expression returns will be converted to a string.
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
817
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
818 Example to limit stanzas per session type:
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
819
2fb11d34087e mod_firewall: README: Update for LIMIT 'on' and document expression syntax
Matthew Wild <mwild1@gmail.com>
parents: 2360
diff changeset
820 LIMIT: normal on $(session.type)