comparison mod_host_guard/mod_host_guard.lua @ 682:3ab1cf30a848

mod_host_guard: using route/remote event hook to stop outgoing connections to filtered entities, yet the returned error is highly misleading.
author Marco Cirillo <maranda@lightwitch.org>
date Sun, 27 May 2012 01:34:53 +0000
parents 03ef667c96c3
children 939f8fc84d49
comparison
equal deleted inserted replaced
681:03ef667c96c3 682:3ab1cf30a848
7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {})
8 local guard_protect = module:get_option_set("host_guard_selective", {}) 8 local guard_protect = module:get_option_set("host_guard_selective", {})
9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {})
10 10
11 local config = require "core.configmanager" 11 local config = require "core.configmanager"
12 local error_reply = require "util.stanza".error_reply
12 local nameprep = require "util.encodings".stringprep.nameprep 13 local nameprep = require "util.encodings".stringprep.nameprep
13 14
14 local function s2s_hook (event) 15 local function s2s_hook (event)
15 local origin, stanza = event.session or event.origin, event.stanza or false 16 local origin, stanza = event.session or event.origin, event.stanza or false
16 local to_host, from_host = (not stanza and origin.to_host) or stanza.attr.to, (not stanza and origin.from_host) or stanza.attr.from 17 local to_host, from_host = (not stanza and origin.to_host) or stanza.attr.to, (not stanza and origin.from_host) or stanza.attr.from
17 18
18 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then 19 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
19 if guard_blockall:contains(to_host) and not guard_ball_wl:contains(from_host) or 20 if guard_blockall:contains(to_host) and not guard_ball_wl:contains(from_host) or
20 guard_block_bl:contains(from_host) and guard_protect:contains(to_host) then 21 guard_block_bl:contains(from_host) and guard_protect:contains(to_host) then
21 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to) 22 module:log("error", "remote service %s attempted to access restricted host %s", from_host, to_host)
22 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}) 23 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."})
23 return false 24 return false
24 end 25 end
25 end 26 end
26 27
27 return nil 28 return nil
28 end 29 end
29 30
31 local function rr_hook (event)
32 local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza
33
34 if guard_blockall:contains(from_host) and not guard_ball_wl:contains(to_host) or
35 guard_block_bl:contains(to_host) and guard_protect:contains(from_host) then
36 module:log("info", "attempted to connect to a filtered remote host %s", to_host)
37 return false
38 end
39
40 return nil
41 end
42
30 local function handle_activation (host) 43 local function handle_activation (host)
31 if guard_blockall:contains(host) or guard_protect:contains(host) then 44 if guard_blockall:contains(host) or guard_protect:contains(host) then
32 if hosts[host] and hosts[host].events then 45 if hosts[host] and hosts[host].events then
33 hosts[host].events.add_handler("s2sin-established", s2s_hook, 500) 46 hosts[host].events.add_handler("s2sin-established", s2s_hook, 500)
47 hosts[host].events.add_handler("route/remote", rr_hook, 500)
34 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", s2s_hook, 500) 48 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", s2s_hook, 500)
35 module:log ("debug", "adding host protection for: "..host) 49 module:log ("debug", "adding host protection for: "..host)
36 end 50 end
37 end 51 end
38 end 52 end
39 53
40 local function handle_deactivation (host) 54 local function handle_deactivation (host)
41 if guard_blockall:contains(host) or guard_protect:contains(host) then 55 if guard_blockall:contains(host) or guard_protect:contains(host) then
42 if hosts[host] and hosts[host].events then 56 if hosts[host] and hosts[host].events then
43 hosts[host].events.remove_handler("s2sin-established", s2s_hook) 57 hosts[host].events.remove_handler("s2sin-established", s2s_hook)
58 hosts[host].events.remove_handler("route/remote", rr_hook)
44 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) 59 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook)
45 module:log ("debug", "removing host protection for: "..host) 60 module:log ("debug", "removing host protection for: "..host)
46 end 61 end
47 end 62 end
48 end 63 end
49 64
50 local function init_hosts() 65 local function init_hosts()
51 for n,table in pairs(hosts) do 66 for n,table in pairs(hosts) do
52 hosts[n].events.remove_handler("s2sin-established", s2s_hook) 67 hosts[n].events.remove_handler("s2sin-established", s2s_hook)
68 hosts[n].events.remove_handler("route/remote", rr_hook)
53 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) 69 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook)
54 if guard_blockall:contains(n) or guard_protect:contains(n) then handle_activation(n) end 70 if guard_blockall:contains(n) or guard_protect:contains(n) then handle_activation(n) end
55 end 71 end
56 end 72 end
57 73