Mercurial > prosody-modules
comparison mod_host_guard/mod_host_guard.lua @ 682:3ab1cf30a848
mod_host_guard: using route/remote event hook to stop outgoing connections to filtered entities, yet the returned error is highly misleading.
| author | Marco Cirillo <maranda@lightwitch.org> |
|---|---|
| date | Sun, 27 May 2012 01:34:53 +0000 |
| parents | 03ef667c96c3 |
| children | 939f8fc84d49 |
comparison
equal
deleted
inserted
replaced
| 681:03ef667c96c3 | 682:3ab1cf30a848 |
|---|---|
| 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) | 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) |
| 8 local guard_protect = module:get_option_set("host_guard_selective", {}) | 8 local guard_protect = module:get_option_set("host_guard_selective", {}) |
| 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) | 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
| 10 | 10 |
| 11 local config = require "core.configmanager" | 11 local config = require "core.configmanager" |
| 12 local error_reply = require "util.stanza".error_reply | |
| 12 local nameprep = require "util.encodings".stringprep.nameprep | 13 local nameprep = require "util.encodings".stringprep.nameprep |
| 13 | 14 |
| 14 local function s2s_hook (event) | 15 local function s2s_hook (event) |
| 15 local origin, stanza = event.session or event.origin, event.stanza or false | 16 local origin, stanza = event.session or event.origin, event.stanza or false |
| 16 local to_host, from_host = (not stanza and origin.to_host) or stanza.attr.to, (not stanza and origin.from_host) or stanza.attr.from | 17 local to_host, from_host = (not stanza and origin.to_host) or stanza.attr.to, (not stanza and origin.from_host) or stanza.attr.from |
| 17 | 18 |
| 18 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | 19 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
| 19 if guard_blockall:contains(to_host) and not guard_ball_wl:contains(from_host) or | 20 if guard_blockall:contains(to_host) and not guard_ball_wl:contains(from_host) or |
| 20 guard_block_bl:contains(from_host) and guard_protect:contains(to_host) then | 21 guard_block_bl:contains(from_host) and guard_protect:contains(to_host) then |
| 21 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to) | 22 module:log("error", "remote service %s attempted to access restricted host %s", from_host, to_host) |
| 22 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}) | 23 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}) |
| 23 return false | 24 return false |
| 24 end | 25 end |
| 25 end | 26 end |
| 26 | 27 |
| 27 return nil | 28 return nil |
| 28 end | 29 end |
| 29 | 30 |
| 31 local function rr_hook (event) | |
| 32 local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza | |
| 33 | |
| 34 if guard_blockall:contains(from_host) and not guard_ball_wl:contains(to_host) or | |
| 35 guard_block_bl:contains(to_host) and guard_protect:contains(from_host) then | |
| 36 module:log("info", "attempted to connect to a filtered remote host %s", to_host) | |
| 37 return false | |
| 38 end | |
| 39 | |
| 40 return nil | |
| 41 end | |
| 42 | |
| 30 local function handle_activation (host) | 43 local function handle_activation (host) |
| 31 if guard_blockall:contains(host) or guard_protect:contains(host) then | 44 if guard_blockall:contains(host) or guard_protect:contains(host) then |
| 32 if hosts[host] and hosts[host].events then | 45 if hosts[host] and hosts[host].events then |
| 33 hosts[host].events.add_handler("s2sin-established", s2s_hook, 500) | 46 hosts[host].events.add_handler("s2sin-established", s2s_hook, 500) |
| 47 hosts[host].events.add_handler("route/remote", rr_hook, 500) | |
| 34 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", s2s_hook, 500) | 48 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", s2s_hook, 500) |
| 35 module:log ("debug", "adding host protection for: "..host) | 49 module:log ("debug", "adding host protection for: "..host) |
| 36 end | 50 end |
| 37 end | 51 end |
| 38 end | 52 end |
| 39 | 53 |
| 40 local function handle_deactivation (host) | 54 local function handle_deactivation (host) |
| 41 if guard_blockall:contains(host) or guard_protect:contains(host) then | 55 if guard_blockall:contains(host) or guard_protect:contains(host) then |
| 42 if hosts[host] and hosts[host].events then | 56 if hosts[host] and hosts[host].events then |
| 43 hosts[host].events.remove_handler("s2sin-established", s2s_hook) | 57 hosts[host].events.remove_handler("s2sin-established", s2s_hook) |
| 58 hosts[host].events.remove_handler("route/remote", rr_hook) | |
| 44 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) | 59 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) |
| 45 module:log ("debug", "removing host protection for: "..host) | 60 module:log ("debug", "removing host protection for: "..host) |
| 46 end | 61 end |
| 47 end | 62 end |
| 48 end | 63 end |
| 49 | 64 |
| 50 local function init_hosts() | 65 local function init_hosts() |
| 51 for n,table in pairs(hosts) do | 66 for n,table in pairs(hosts) do |
| 52 hosts[n].events.remove_handler("s2sin-established", s2s_hook) | 67 hosts[n].events.remove_handler("s2sin-established", s2s_hook) |
| 68 hosts[n].events.remove_handler("route/remote", rr_hook) | |
| 53 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) | 69 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) |
| 54 if guard_blockall:contains(n) or guard_protect:contains(n) then handle_activation(n) end | 70 if guard_blockall:contains(n) or guard_protect:contains(n) then handle_activation(n) end |
| 55 end | 71 end |
| 56 end | 72 end |
| 57 | 73 |