# HG changeset patch # User Matthew Wild # Date 1661509844 -3600 # Node ID 47d9f704d14b34ddb496480379ec1c51c5a84361 # Parent eb3f99d0e72d3faf1affa0f6b3a1fe3d55177d0f mod_muc_ban_ip: Support for service-wide IP bans from trusted services diff -r eb3f99d0e72d -r 47d9f704d14b mod_muc_ban_ip/mod_muc_ban_ip.lua --- a/mod_muc_ban_ip/mod_muc_ban_ip.lua Thu Aug 25 16:38:14 2022 +0200 +++ b/mod_muc_ban_ip/mod_muc_ban_ip.lua Fri Aug 26 11:30:44 2022 +0100 @@ -1,18 +1,33 @@ module:set_global(); -local jid_bare = require "util.jid".bare; +local jid_bare, jid_host = require "util.jid".bare, require "util.jid".host; local st = require "util.stanza"; local xmlns_muc_user = "http://jabber.org/protocol/muc#user"; +local trusted_services = module:get_option_inherited_set("muc_ban_ip_trusted_services", {}); +local trust_local_restricted_services = module:get_option_boolean("muc_ban_ip_trust_local_restricted_services", true); + local ip_bans = module:shared("bans"); local full_sessions = prosody.full_sessions; +local function is_local_restricted_service(host) + local muc_service = prosody.hosts[host] and prosody.hosts[host].modules.muc; + if muc_service and module:context(host):get_option("restrict_room_creation") ~= nil then -- COMPAT: May need updating post-0.12 + return true; + end + return false; +end + local function ban_ip(session, from) local ip = session.ip; if not ip then module:log("warn", "Failed to ban IP (IP unknown) for %s", session.full_jid); return; end + local from_host = jid_host(from); + if trusted_services:contains(from_host) or (trust_local_restricted_services and is_local_restricted_service(from_host)) then + from = from_host; -- Ban from entire host + end local banned_from = ip_bans[ip]; if not banned_from then banned_from = {}; @@ -45,8 +60,8 @@ local function check_for_ban(event) local origin, stanza = event.origin, event.stanza; local ip = origin.ip; - local to = jid_bare(stanza.attr.to); - if ip_bans[ip] and ip_bans[ip][to] then + local to, to_host = jid_bare(stanza.attr.to), jid_host(stanza.attr.to); + if ip_bans[ip] and (ip_bans[ip][to] or ip_bans[ip][to_host]) then (origin.log or module._log)("debug", "IP banned: %s is banned from %s", ip, to) if stanza.attr.type ~= "error" then origin.send(st.error_reply(stanza, "auth", "forbidden")