Mercurial > prosody-modules
comparison mod_firewall/README.markdown @ 2369:2fb11d34087e
mod_firewall: README: Update for LIMIT 'on' and document expression syntax
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 15 Nov 2016 21:02:46 +0000 |
| parents | 97e63e8f0f32 |
| children | 5fe483b73fd2 |
comparison
equal
deleted
inserted
replaced
| 2368:7e1d8c46d788 | 2369:2fb11d34087e |
|---|---|
| 287 ----------- -------------------------------------------------------------------------------------------------- | 287 ----------- -------------------------------------------------------------------------------------------------- |
| 288 `LIMIT` When the named limit is 'used up'. Using this condition automatically counts against that limit. | 288 `LIMIT` When the named limit is 'used up'. Using this condition automatically counts against that limit. |
| 289 | 289 |
| 290 **Note:** Reloading mod\_firewall resets the current state of any | 290 **Note:** Reloading mod\_firewall resets the current state of any |
| 291 limiters. | 291 limiters. |
| 292 | |
| 293 #### Dynamic limits | |
| 294 | |
| 295 Sometimes you may want to have multiple throttles in a single condition, using some property of the session or stanza | |
| 296 to determine which throttle to use. For example, you might have a limit for incoming stanzas, but you want to limit by | |
| 297 sending JID, instead of all incoming stanzas sharing the same limit. | |
| 298 | |
| 299 You can use the 'on' keyword for this, like so: | |
| 300 | |
| 301 LIMIT: normal on EXPRESSION | |
| 302 | |
| 303 For more information on expressions, see the section later in this document. | |
| 292 | 304 |
| 293 ### Session marking | 305 ### Session marking |
| 294 | 306 |
| 295 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the | 307 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the |
| 296 `ORIGIN_MARKED` condition. | 308 `ORIGIN_MARKED` condition. |
| 383 | 395 |
| 384 # Log all stanzas to user@example.com: | 396 # Log all stanzas to user@example.com: |
| 385 TO: user@example.com | 397 TO: user@example.com |
| 386 LOG=[debug] User received: $(stanza) | 398 LOG=[debug] User received: $(stanza) |
| 387 | 399 |
| 400 More info about expressions can be found below. | |
| 401 | |
| 388 Chains | 402 Chains |
| 389 ------ | 403 ------ |
| 390 | 404 |
| 391 Rules are grouped into "chains", which are injected at particular points in Prosody's routing code. | 405 Rules are grouped into "chains", which are injected at particular points in Prosody's routing code. |
| 392 | 406 |
| 429 DROP. | 443 DROP. |
| 430 | 444 |
| 431 Action Description | 445 Action Description |
| 432 ------------------------ ------------------------------------------------------------------------ | 446 ------------------------ ------------------------------------------------------------------------ |
| 433 `JUMP_CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing. | 447 `JUMP_CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing. |
| 448 | |
| 449 Expressions | |
| 450 ----------- | |
| 451 | |
| 452 Some conditions and actions in rules support "expressions" in their parameters (their documentation will indicate if this is the case). Most parameters | |
| 453 are static once the firewall script is loaded and compiled internally, however parameters that allow expressions can be dynamically calculated when a | |
| 454 rule is being run. | |
| 455 | |
| 456 There are two kinds of expression that you can use: stanza expressions, and code expressions. | |
| 457 | |
| 458 Stanza expressions are of the form `$<...>`, where `...` is a stanza path. For syntax of stanza paths, see the documentation for the 'INSPECT' condition | |
| 459 above. | |
| 460 | |
| 461 Example: | |
| 462 | |
| 463 LOG=Matched a stanza from $<@from> to $<@to> | |
| 464 | |
| 465 If the path does not match (e.g. the element isn't found, or the attribute doesn't exist) it will return the text `<undefined>`. You can override this | |
| 466 by specifying an alternative default value, using the syntax `$<path||default>`. | |
| 467 | |
| 468 Code expressions use `$(...)` syntax. Code expressions are powerful, and allow unconstrained access to Prosody's internal environment. Therefore | |
| 469 code expressions are typically for advanced use-cases only. You may want to refer to Prosody's [developer documentation](https://prosody.im/doc/developers) | |
| 470 for more information. In particular, within code expressions you may access the 'session' object, which is the session object of the origin of the stanza, | |
| 471 and the 'stanza' object, which is the stanza being considered within the current rule. Whatever value the expression returns will be converted to a string. | |
| 472 | |
| 473 Example to limit stanzas per session type: | |
| 474 | |
| 475 LIMIT: normal on $(session.type) |