Mercurial > prosody-modules
changeset 515:e98fe28c50b0
mod_host_guard: added exceptions/whitelisting to the blockall logic (makes little sense otherwise has s2s_disallow = true does the same)
author | Marco Cirillo <maranda@lightwitch.org> |
---|---|
date | Tue, 20 Dec 2011 20:19:53 +0000 |
parents | 46e1983486e9 |
children | 3d3687fef751 |
files | mod_host_guard/mod_host_guard.lua |
diffstat | 1 files changed, 5 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_host_guard/mod_host_guard.lua Mon Dec 19 12:29:03 2011 +0000 +++ b/mod_host_guard/mod_host_guard.lua Tue Dec 20 20:19:53 2011 +0000 @@ -4,6 +4,7 @@ module:set_global() local guard_blockall = module:get_option_set("host_guard_blockall", {}) +local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) local guard_protect = module:get_option_set("host_guard_selective", {}) local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) @@ -14,7 +15,7 @@ local _make_connect = s2smanager.make_connect; function s2smanager.make_connect(session, connect_host, connect_port) if not session.s2sValidation then - if guard_blockall:contains(session.from_host) or + if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); s2smanager.destroy_session(session, "You're not authorized, good bye."); @@ -34,7 +35,7 @@ session.s2sValidation = true; end - if guard_blockall:contains(host) or + if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or guard_block_bl:contains(from) and guard_protect:contains(host) then module:log("error", "remote service %s attempted to access restricted host %s", from, host); session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); @@ -47,7 +48,7 @@ local origin, stanza = event.origin, event.stanza; if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then - if guard_blockall:contains(stanza.attr.to) or + if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); @@ -79,6 +80,7 @@ local function reload() module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); guard_blockall = module:get_option_set("host_guard_blockall", {}); + guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}); guard_protect = module:get_option_set("host_guard_components", {}); guard_block_bl = module:get_option_set("host_guard_blacklist", {}); end