# HG changeset patch # User Marco Cirillo # Date 1324412393 0 # Node ID e98fe28c50b0d80ac7eb65a0b93a89a3dea09db7 # Parent 46e1983486e91ad0251238ddf52748f63c57efad mod_host_guard: added exceptions/whitelisting to the blockall logic (makes little sense otherwise has s2s_disallow = true does the same) diff -r 46e1983486e9 -r e98fe28c50b0 mod_host_guard/mod_host_guard.lua --- a/mod_host_guard/mod_host_guard.lua Mon Dec 19 12:29:03 2011 +0000 +++ b/mod_host_guard/mod_host_guard.lua Tue Dec 20 20:19:53 2011 +0000 @@ -4,6 +4,7 @@ module:set_global() local guard_blockall = module:get_option_set("host_guard_blockall", {}) +local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) local guard_protect = module:get_option_set("host_guard_selective", {}) local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) @@ -14,7 +15,7 @@ local _make_connect = s2smanager.make_connect; function s2smanager.make_connect(session, connect_host, connect_port) if not session.s2sValidation then - if guard_blockall:contains(session.from_host) or + if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); s2smanager.destroy_session(session, "You're not authorized, good bye."); @@ -34,7 +35,7 @@ session.s2sValidation = true; end - if guard_blockall:contains(host) or + if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or guard_block_bl:contains(from) and guard_protect:contains(host) then module:log("error", "remote service %s attempted to access restricted host %s", from, host); session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); @@ -47,7 +48,7 @@ local origin, stanza = event.origin, event.stanza; if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then - if guard_blockall:contains(stanza.attr.to) or + if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); @@ -79,6 +80,7 @@ local function reload() module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); guard_blockall = module:get_option_set("host_guard_blockall", {}); + guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}); guard_protect = module:get_option_set("host_guard_components", {}); guard_block_bl = module:get_option_set("host_guard_blacklist", {}); end