Mercurial > prosody-modules
view mod_isolate_host/mod_isolate_host.lua @ 4877:adc6241e5d16
mod_measure_process: Report the enforced limit
The soft limit is what the kernel actually enforces, while the hard
limit is is how far you can change the soft limit without privileges.
Unless the process dynamically adjusts the soft limit, knowing the hard
limit is not as useful as knowing the soft limit.
Reporting the soft limit and the number of in-use FDs allows placing
alerts on expressions like 'process_open_fds / process_max_fds >= 0.95'
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 18 Jan 2022 18:55:20 +0100 |
| parents | 8e19b943c2cd |
| children | bc75fc9400ae |
line wrap: on
line source
local jid = require "util.jid"; local jid_bare, jid_split = jid.bare, jid.split; local is_admin = require "core.usermanager".is_admin; local set = require "util.set"; local st = require "util.stanza"; local stanza_types = set.new{"message", "presence", "iq"}; local jid_types = set.new{"bare", "full", "host"}; local except_domains = module:get_option_inherited_set("isolate_except_domains", {}); local except_users = module:get_option_inherited_set("isolate_except_users", {}); function check_stanza(event) local origin, stanza = event.origin, event.stanza; if origin.no_host_isolation then return; end local to_user, to_host = jid_split(event.stanza.attr.to); if to_host and to_host ~= origin.host and not except_domains:contains(to_host) then if to_host:match("^[^.]+%.(.+)$") == origin.host then -- Permit subdomains except_domains:add(to_host); return; end module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to); origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available")); return true; end end for stanza_type in stanza_types do for jid_type in jid_types do module:hook("pre-"..stanza_type.."/"..jid_type, check_stanza, 1); end end function check_user_isolated(event) local session = event.session; local bare_jid = jid_bare(session.full_jid); if is_admin(bare_jid, module.host) or except_users:contains(bare_jid) then session.no_host_isolation = true; end module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not "); end module:hook("resource-bind", check_user_isolated);