changeset 682:3ab1cf30a848

mod_host_guard: using route/remote event hook to stop outgoing connections to filtered entities, yet the returned error is highly misleading.
author Marco Cirillo <maranda@lightwitch.org>
date Sun, 27 May 2012 01:34:53 +0000
parents 03ef667c96c3
children 939f8fc84d49
files mod_host_guard/mod_host_guard.lua
diffstat 1 files changed, 17 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_host_guard/mod_host_guard.lua	Sat May 26 22:48:03 2012 +0000
+++ b/mod_host_guard/mod_host_guard.lua	Sun May 27 01:34:53 2012 +0000
@@ -9,6 +9,7 @@
 local guard_block_bl = module:get_option_set("host_guard_blacklist", {})
 
 local config = require "core.configmanager"
+local error_reply = require "util.stanza".error_reply
 local nameprep = require "util.encodings".stringprep.nameprep
 
 local function s2s_hook (event)
@@ -18,7 +19,7 @@
 	if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
 	   if guard_blockall:contains(to_host) and not guard_ball_wl:contains(from_host) or
 	      guard_block_bl:contains(from_host) and guard_protect:contains(to_host) then
-                module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to)
+                module:log("error", "remote service %s attempted to access restricted host %s", from_host, to_host)
                 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."})
                 return false
            end
@@ -27,10 +28,23 @@
 	return nil
 end
 
+local function rr_hook (event)
+	local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza
+
+	if guard_blockall:contains(from_host) and not guard_ball_wl:contains(to_host) or
+	   guard_block_bl:contains(to_host) and guard_protect:contains(from_host) then
+	     module:log("info", "attempted to connect to a filtered remote host %s", to_host)
+	     return false
+	end
+
+	return nil
+end
+
 local function handle_activation (host)
 	if guard_blockall:contains(host) or guard_protect:contains(host) then
 		if hosts[host] and hosts[host].events then
 			hosts[host].events.add_handler("s2sin-established", s2s_hook, 500)
+			hosts[host].events.add_handler("route/remote", rr_hook, 500)
 			hosts[host].events.add_handler("stanza/jabber:server:dialback:result", s2s_hook, 500)
                 	module:log ("debug", "adding host protection for: "..host)
 		end
@@ -41,6 +55,7 @@
 	if guard_blockall:contains(host) or guard_protect:contains(host) then
 		if hosts[host] and hosts[host].events then
 			hosts[host].events.remove_handler("s2sin-established", s2s_hook)
+			hosts[host].events.remove_handler("route/remote", rr_hook)
 			hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook)
                 	module:log ("debug", "removing host protection for: "..host)
 		end
@@ -50,6 +65,7 @@
 local function init_hosts()
 	for n,table in pairs(hosts) do
 		hosts[n].events.remove_handler("s2sin-established", s2s_hook)
+		hosts[n].events.remove_handler("route/remote", rr_hook)
 		hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", s2s_hook)
 		if guard_blockall:contains(n) or guard_protect:contains(n) then	handle_activation(n) end
 	end