diff mod_firewall/README.markdown @ 2108:573fe9825fba

mod_firewall: README: Document session marking
author Matthew Wild <mwild1@gmail.com>
date Thu, 17 Mar 2016 11:33:57 +0000
parents f2d5aa789646
children c26b28c65d47
line wrap: on
line diff
--- a/mod_firewall/README.markdown	Thu Mar 17 11:27:10 2016 +0000
+++ b/mod_firewall/README.markdown	Thu Mar 17 11:33:57 2016 +0000
@@ -264,6 +264,27 @@
 **Note:** Reloading mod\_firewall resets the current state of any
 limiters.
 
+### Session marking
+
+It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the
+`ORIGIN_MARKED` condition.
+
+  Condition                       Description
+  ------------------------------- ---------------------------------------------------------------
+  ORIGIN_MARKED: markname         Matches if the origin has been marked with 'markname'.
+  ORIGIN_MARKED: markname (Xs)    Matches if the origin has been marked with 'markname' within the past X seconds.
+
+Example usage:
+
+    # This rule drops messages from sessions that have been marked as spammers in the past hour
+    ORIGIN_MARKED: spammer (3600s)
+    DROP.
+
+    # This rule marks the origin session as a spammer if they send a message to a honeypot JID
+    KIND: message
+    TO: honeypot@example.com
+    MARK_ORIGIN=spammer
+
 Actions
 -------
 
@@ -309,6 +330,15 @@
   `STRIP=name namespace`   Remove any child elements with the given name and the given namespace
   `INJECT=xml`             Inject the given XML into the stanza as a child element
 
+### Sessions
+
+It is possible to mark sessions, and then use these marks to match rules later on.
+
+  Action                   Description
+  ------------------------ --------------------------------------------------------------------------
+  `MARK_ORIGIN=mark`        Marks the originating session with the given flag.
+  `UNMARK_ORIGIN=mark`      Removes the given mark from the origin session (if it is set).
+
 ### Informational
 
   Action          Description