Mercurial > prosody-modules
comparison mod_host_guard/mod_host_guard.lua @ 682:3ab1cf30a848
mod_host_guard: using route/remote event hook to stop outgoing connections to filtered entities, yet the returned error is highly misleading.
author | Marco Cirillo <maranda@lightwitch.org> |
---|---|
date | Sun, 27 May 2012 01:34:53 +0000 |
parents | 03ef667c96c3 |
children | 939f8fc84d49 |
comparison
equal
deleted
inserted
replaced
681:03ef667c96c3 | 682:3ab1cf30a848 |
---|---|
7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) | 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) |
8 local guard_protect = module:get_option_set("host_guard_selective", {}) | 8 local guard_protect = module:get_option_set("host_guard_selective", {}) |
9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) | 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
10 | 10 |
11 local config = require "core.configmanager" | 11 local config = require "core.configmanager" |
12 local error_reply = require "util.stanza".error_reply | |
12 local nameprep = require "util.encodings".stringprep.nameprep | 13 local nameprep = require "util.encodings".stringprep.nameprep |
13 | 14 |
14 local function s2s_hook (event) | 15 local function s2s_hook (event) |
15 local origin, stanza = event.session or event.origin, event.stanza or false | 16 local origin, stanza = event.session or event.origin, event.stanza or false |
16 local to_host, from_host = (not stanza and origin.to_host) or stanza.attr.to, (not stanza and origin.from_host) or stanza.attr.from | 17 local to_host, from_host = (not stanza and origin.to_host) or stanza.attr.to, (not stanza and origin.from_host) or stanza.attr.from |
17 | 18 |
18 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | 19 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
19 if guard_blockall:contains(to_host) and not guard_ball_wl:contains(from_host) or | 20 if guard_blockall:contains(to_host) and not guard_ball_wl:contains(from_host) or |
20 guard_block_bl:contains(from_host) and guard_protect:contains(to_host) then | 21 guard_block_bl:contains(from_host) and guard_protect:contains(to_host) then |
21 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to) | 22 module:log("error", "remote service %s attempted to access restricted host %s", from_host, to_host) |
22 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}) | 23 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}) |
23 return false | 24 return false |
24 end | 25 end |
25 end | 26 end |
26 | 27 |
27 return nil | 28 return nil |
28 end | 29 end |
29 | 30 |
31 local function rr_hook (event) | |
32 local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza | |
33 | |
34 if guard_blockall:contains(from_host) and not guard_ball_wl:contains(to_host) or | |
35 guard_block_bl:contains(to_host) and guard_protect:contains(from_host) then | |
36 module:log("info", "attempted to connect to a filtered remote host %s", to_host) | |
37 return false | |
38 end | |
39 | |
40 return nil | |
41 end | |
42 | |
30 local function handle_activation (host) | 43 local function handle_activation (host) |
31 if guard_blockall:contains(host) or guard_protect:contains(host) then | 44 if guard_blockall:contains(host) or guard_protect:contains(host) then |
32 if hosts[host] and hosts[host].events then | 45 if hosts[host] and hosts[host].events then |
33 hosts[host].events.add_handler("s2sin-established", s2s_hook, 500) | 46 hosts[host].events.add_handler("s2sin-established", s2s_hook, 500) |
47 hosts[host].events.add_handler("route/remote", rr_hook, 500) | |
34 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", s2s_hook, 500) | 48 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", s2s_hook, 500) |
35 module:log ("debug", "adding host protection for: "..host) | 49 module:log ("debug", "adding host protection for: "..host) |
36 end | 50 end |
37 end | 51 end |
38 end | 52 end |
39 | 53 |
40 local function handle_deactivation (host) | 54 local function handle_deactivation (host) |
41 if guard_blockall:contains(host) or guard_protect:contains(host) then | 55 if guard_blockall:contains(host) or guard_protect:contains(host) then |
42 if hosts[host] and hosts[host].events then | 56 if hosts[host] and hosts[host].events then |
43 hosts[host].events.remove_handler("s2sin-established", s2s_hook) | 57 hosts[host].events.remove_handler("s2sin-established", s2s_hook) |
58 hosts[host].events.remove_handler("route/remote", rr_hook) | |
44 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) | 59 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) |
45 module:log ("debug", "removing host protection for: "..host) | 60 module:log ("debug", "removing host protection for: "..host) |
46 end | 61 end |
47 end | 62 end |
48 end | 63 end |
49 | 64 |
50 local function init_hosts() | 65 local function init_hosts() |
51 for n,table in pairs(hosts) do | 66 for n,table in pairs(hosts) do |
52 hosts[n].events.remove_handler("s2sin-established", s2s_hook) | 67 hosts[n].events.remove_handler("s2sin-established", s2s_hook) |
68 hosts[n].events.remove_handler("route/remote", rr_hook) | |
53 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) | 69 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook) |
54 if guard_blockall:contains(n) or guard_protect:contains(n) then handle_activation(n) end | 70 if guard_blockall:contains(n) or guard_protect:contains(n) then handle_activation(n) end |
55 end | 71 end |
56 end | 72 end |
57 | 73 |