# HG changeset patch # User Matthew Wild # Date 1458214437 0 # Node ID 573fe9825fba968712ae648205564efad9b865f0 # Parent f445f43b9ba18bb480bc03fd6c9b20d5c8842b41 mod_firewall: README: Document session marking diff -r f445f43b9ba1 -r 573fe9825fba mod_firewall/README.markdown --- a/mod_firewall/README.markdown Thu Mar 17 11:27:10 2016 +0000 +++ b/mod_firewall/README.markdown Thu Mar 17 11:33:57 2016 +0000 @@ -264,6 +264,27 @@ **Note:** Reloading mod\_firewall resets the current state of any limiters. +### Session marking + +It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the +`ORIGIN_MARKED` condition. + + Condition Description + ------------------------------- --------------------------------------------------------------- + ORIGIN_MARKED: markname Matches if the origin has been marked with 'markname'. + ORIGIN_MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds. + +Example usage: + + # This rule drops messages from sessions that have been marked as spammers in the past hour + ORIGIN_MARKED: spammer (3600s) + DROP. + + # This rule marks the origin session as a spammer if they send a message to a honeypot JID + KIND: message + TO: honeypot@example.com + MARK_ORIGIN=spammer + Actions ------- @@ -309,6 +330,15 @@ `STRIP=name namespace` Remove any child elements with the given name and the given namespace `INJECT=xml` Inject the given XML into the stanza as a child element +### Sessions + +It is possible to mark sessions, and then use these marks to match rules later on. + + Action Description + ------------------------ -------------------------------------------------------------------------- + `MARK_ORIGIN=mark` Marks the originating session with the given flag. + `UNMARK_ORIGIN=mark` Removes the given mark from the origin session (if it is set). + ### Informational Action Description