prosody-modules: mod_firewall/README.markdown@573fe9825fba (annotated)

1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	1	---
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	2	labels:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	3	- 'Stage-Alpha'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	4	summary: 'A rule-based stanza filtering module'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	5	...
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	6
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	7	------------------------------------------------------------------------
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	8
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	9	Note: mod\_firewall is in its very early stages. This documentation
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	10	is liable to change, and some described functionality may be missing,
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	11	incomplete or contain bugs. Feedback is welcome in the comments section
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	12	at the bottom of this page.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	13
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	14	------------------------------------------------------------------------
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	15
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	16	Introduction
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	17	============
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	18
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	19	A firewall is an invaluable tool in the sysadmin's toolbox. However
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	20	while low-level firewalls such as iptables and pf are incredibly good at
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	21	what they do, they are generally not able to handle application-layer
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	22	rules.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	23
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	24	The goal of mod\_firewall is to provide similar services at the XMPP
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	25	layer. Based on rule scripts it can efficiently block, bounce, drop,
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	26	forward, copy, redirect stanzas and more! Furthermore all rules can be
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	27	applied and updated dynamically at runtime without restarting the
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	28	server.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	29
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	30	Details
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	31	=======
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	32
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	33	mod\_firewall loads one or more scripts, and compiles these to Lua code
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	34	that reacts to stanzas flowing through Prosody. The firewall script
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	35	syntax is unusual, but straightforward.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	36
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	37	A firewall script is dominated by rules. Each rule has two parts:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	38	conditions, and actions. When a stanza matches all of the conditions,
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	39	all of the actions are executed in order.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	40
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	41	Here is a simple example to block stanzas from spammer@example.com:
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	42
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	43	FROM: spammer@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	44	DROP.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	45
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	46	FROM is a condition, and DROP is an action. This is about as simple as
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	47	it gets. How about heading to the other extreme? Let's demonstrate
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	48	something more complex that mod\_firewall can do for you:
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	49
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	50	%ZONE myorganisation: staff.myorg.example, support.myorg.example
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	51
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	52	ENTERING: myorganisation
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	53	KIND: message
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	54	TIME: 12am-9am, 5pm-12am, Saturday, Sunday
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	55	REPLY=Sorry, I am afraid our office is closed at the moment. If you need assistance, please call our 24-hour support line on 123-456-789.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	56
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	57	This rule will reply with a short message whenever someone tries to send
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	58	a message to someone at any of the hosts defined in the 'myorganisation'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	59	outside of office hours.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	60
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	61	Firewall rules should be written to a `ruleset.pfw` file. Multiple such
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	62	rule files can be specified in the configuration using:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	63
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	64	firewall_scripts = { "path/to/ruleset.pfw" }
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	65
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	66	Conditions
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	67	----------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	68
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	69	All conditions must come before any action in a rule block. The
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	70	condition name is followed by a colon (':'), and the value to test for.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	71
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	72	A condition can be preceded or followed by `NOT` to negate its match.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	73	For example:
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	74
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	75	NOT FROM: user@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	76	KIND NOT: message
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	77
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	78	### Zones
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	79
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	80	A 'zone' is one or more hosts or JIDs. It is possible to match when a
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	81	stanza is entering or leaving a zone, while at the same time not
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	82	matching traffic passing between JIDs in the same zone.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	83
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	84	Zones are defined at the top of a script with the following syntax (they
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	85	are not part of a rule block):
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	86
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	87	%ZONE myzone: host1, host2, user@host3, foo.bar.example
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	88
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	89	A host listed in a zone also matches all users on that host (but not
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	90	subdomains).
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	91
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	92	The following zone-matching conditions are supported:
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	93
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	94	Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	95	------------ ------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	96	`ENTERING` When a stanza is entering the named zone
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	97	`LEAVING` When a stanza is leaving the named zone
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	98
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	99	### Stanza matching
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	100
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	101	Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	102	----------- ------------------------------------------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	103	`KIND` The kind of stanza. May be 'message', 'presence' or 'iq'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	104	`TYPE` The type of stanza. This varies depending on the kind of stanza. See 'Stanza types' below for more information.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	105	`PAYLOAD` The stanza contains a child with the given namespace. Useful for determining the type of an iq request, or whether a message contains a certain extension.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	106	`INSPECT` The node at the specified path exists or matches a given string. This allows you to look anywhere inside a stanza. See below for examples and more.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	107
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	108	#### Stanza types
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	109
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	110	Stanza Valid types
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	111	---------- ------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	112	iq get, set, result, error
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	113	presence available, unavailable, probe, subscribe, subscribed, unsubscribe, unsubscribed, error
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	114	message normal, chat, groupchat, headline, error
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	115
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	116	Note: The type 'available' for presence does not actually appear in
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	117	the protocol. Available presence is signalled by the omission of a type.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	118	Similarly, a message stanza with no type is equivalent to one of type
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	119	'normal'. mod\_firewall handles these cases for you automatically.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	120
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	121	#### INSPECT
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	122
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	123	INSPECT takes a 'path' through the stanza to get a string (an attribute
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	124	value or text content). An example is the best way to explain. Let's
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	125	check that a user is not trying to register an account with the username
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	126	'admin'. This stanza comes from [XEP-0077: In-band
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	127	Registration](http://xmpp.org/extensions/xep-0077.html#example-4):
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	128
2006 ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	129	``` xml
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	130	<iq type='set' id='reg2'>
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	131	<query xmlns='jabber:iq:register'>
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	132	<username>bill</username>
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	133	<password>Calliope</password>
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	134	<email>bard@shakespeare.lit</email>
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	135	</query>
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	136	</iq>
ce991c678370 mod_firewall/README: Markup XML example as XML :) Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	137	```
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	138
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	139	KIND: iq
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	140	TYPE: set
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	141	PAYLOAD: jabber:iq:register
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	142	INSPECT: {jabber:iq:register}query/username#=admin
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	143	BOUNCE=not-allowed The username 'admin' is reserved.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	144
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	145	That weird string deserves some explanation. It is a path, divided into
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	146	segments by '/'. Each segment describes an element by its name,
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	147	optionally prefixed by its namespace in curly braces ('{...}'). If the
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	148	path ends with a '\#' then the text content of the last element will be
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	149	returned. If the path ends with '@name' then the value of the attribute
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	150	'name' will be returned.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	151
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	152	INSPECT is somewhat slower than the other stanza matching conditions. To
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	153	minimise performance impact, always place it below other faster
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	154	condition checks where possible (e.g. above we first checked KIND, TYPE
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	155	and PAYLOAD matched before INSPECT).
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	156
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	157	### Sender/recipient matching
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	158
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	159	Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	160	----------- -------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	161	`FROM` The JID in the 'from' attribute matches the given JID
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	162	`TO` The JID in the 'to' attribute matches the given JID
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	163
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	164	These conditions both accept wildcards in the JID when the wildcard
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	165	expression is enclosed in angle brackets ('\<...\>'). For example:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	166
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	167	# All users at example.com
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	168	FROM: <*>@example.com
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	169
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	170	# The user 'admin' on any subdomain of example.com
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	171	FROM: admin@<*.example.com>
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	172
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	173	You can also use [Lua's pattern
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	174	matching](http://www.lua.org/manual/5.1/manual.html#5.4.1) for more
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	175	powerful matching abilities. Patterns are a lightweight
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	176	regular-expression alternative. Simply contain the pattern in double
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	177	angle brackets. The pattern is automatically anchored at the start and
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	178	end (so it must match the entire portion of the JID).
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	179
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	180	# Match admin@example.com, and admin1@example.com, etc.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	181	FROM: <<admin%d*>>@example.com
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	182
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	183	Note: It is important to know that 'example.com' is a valid JID on
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	184	its own, and does not match 'user@example.com'. To perform domain
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	185	whitelists or blacklists, use Zones.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	186
2051 2ec7c0b8a371 mod_firewall/README: Fix table Kim Alvefur <zash@zash.se> parents: 2040 diff changeset	187	Condition Matches
2ec7c0b8a371 mod_firewall/README: Fix table Kim Alvefur <zash@zash.se> parents: 2040 diff changeset	188	---------------- ---------------------------------------------------------------
2ec7c0b8a371 mod_firewall/README: Fix table Kim Alvefur <zash@zash.se> parents: 2040 diff changeset	189	`FROM_EXACTLY` The JID in the 'from' attribute exactly matches the given JID
2ec7c0b8a371 mod_firewall/README: Fix table Kim Alvefur <zash@zash.se> parents: 2040 diff changeset	190	`TO_EXACTLY` The JID in the 'to' attribute exactly matches the given JID
2040 7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY Matthew Wild <mwild1@gmail.com> parents: 2006 diff changeset	191
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY Matthew Wild <mwild1@gmail.com> parents: 2006 diff changeset	192	These additional conditions do not support pattern matching, but are
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY Matthew Wild <mwild1@gmail.com> parents: 2006 diff changeset	193	useful to match the exact to/from address on a stanza. For example, if
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY Matthew Wild <mwild1@gmail.com> parents: 2006 diff changeset	194	no resource is specified then only bare JIDs will be matched. TO and FROM
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY Matthew Wild <mwild1@gmail.com> parents: 2006 diff changeset	195	match all resources if no resource is specified to match.
7ba6ed553c93 mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY Matthew Wild <mwild1@gmail.com> parents: 2006 diff changeset	196
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	197	Note: Some chains execute before Prosody has performed any
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	198	normalisation or validity checks on the to/from JIDs on an incoming
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	199	stanza. It is not advisable to perform access control or similar rules
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	200	on JIDs in these chains (see the chain documentation for more info).
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	201
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	202	### Time and date
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	203
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	204	#### TIME
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	205
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	206	Matches stanzas sent during certain time periods.
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	207
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	208	Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	209	----------- -------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	210	TIME When the current server local time is within one of the comma-separated time ranges given
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	211
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	212	TIME: 10pm-6am, 14:00-15:00
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	213	REPLY=Zzzz.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	214
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	215	#### DAY
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	216
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	217	It is also possible to match only on certain days of the week.
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	218
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	219	Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	220	----------- -----------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	221	DAY When the current day matches one, or falls within a rage, in the given comma-separated list of days
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	222
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	223	Example:
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	224
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	225	DAY: Sat-Sun, Wednesday
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	226	REPLY=Sorry, I'm out enjoying life!
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	227
2106 2c225b4b93d2 mod_firewall: README: Add note about time functions using server's local time Matthew Wild <mwild1@gmail.com> parents: 2100 diff changeset	228	All times and dates are handled in the server's local time.
2c225b4b93d2 mod_firewall: README: Add note about time functions using server's local time Matthew Wild <mwild1@gmail.com> parents: 2100 diff changeset	229
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	230	### Rate-limiting
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	231
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	232	It is possible to selectively rate-limit stanzas, and use rules to
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	233	decide what to do with stanzas when over the limit.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	234
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	235	First, you must define any rate limits that you are going to use in your
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	236	script. Here we create a limiter called 'normal' that will allow 2
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	237	stanzas per second, and then we define a rule to bounce messages when
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	238	over this limit. Note that the `RATE` definition is not part of a rule
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	239	(multiple rules can share the same limiter).
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	240
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	241	%RATE normal: 2 (burst 3)
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	242
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	243	KIND: message
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	244	LIMIT: normal
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	245	BOUNCE=policy-violation (Sending too fast!)
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	246
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	247	The 'burst' parameter on the rate limit allows you to spread the limit
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	248	check over a given time period. For example the definition shown above
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	249	will allow the limit to be temporarily surpassed, as long as it is
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	250	within the limit after 3 seconds. You will almost always want to specify
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	251	a burst factor.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	252
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	253	Both the rate and the burst can be fractional values. For example a rate
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	254	of 0.1 means only one event is allowed every 10 seconds.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	255
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	256	The LIMIT condition actually does two things; first it counts against
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	257	the given limiter, and then it checks to see if the limiter over its
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	258	limit yet. If it is, the condition matches, otherwise it will not.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	259
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	260	Condition Matches
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	261	----------- --------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	262	`LIMIT` When the named limit is 'used up'. Using this condition automatically counts against that limit.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	263
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	264	Note: Reloading mod\_firewall resets the current state of any
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	265	limiters.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	266
2112 573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	267	### Session marking
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	268
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	269	It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	270	`ORIGIN_MARKED` condition.
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	271
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	272	Condition Description
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	273	------------------------------- ---------------------------------------------------------------
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	274	ORIGIN_MARKED: markname Matches if the origin has been marked with 'markname'.
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	275	ORIGIN_MARKED: markname (Xs) Matches if the origin has been marked with 'markname' within the past X seconds.
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	276
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	277	Example usage:
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	278
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	279	# This rule drops messages from sessions that have been marked as spammers in the past hour
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	280	ORIGIN_MARKED: spammer (3600s)
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	281	DROP.
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	282
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	283	# This rule marks the origin session as a spammer if they send a message to a honeypot JID
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	284	KIND: message
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	285	TO: honeypot@example.com
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	286	MARK_ORIGIN=spammer
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	287
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	288	Actions
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	289	-------
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	290
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	291	Actions come after all conditions in a rule block. There must be at
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	292	least one action, though conditions are optional.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	293
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	294	An action without parameters ends with a full-stop/period ('.'), and one
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	295	with parameters uses an equals sign ('='):
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	296
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	297	# An action with no parameters:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	298	DROP.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	299
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	300	# An action with a parameter:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	301	REPLY=Hello, this is a reply.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	302
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	303	### Route modification
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	304
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	305	The most common actions modify the stanza's route in some way. Currently
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	306	the first matching rule to do so will halt further processing of actions
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	307	and rules (this may change in the future).
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	308
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	309	Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	310	----------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	311	`PASS.` Stop executing actions and rules on this stanza, and let it through this chain.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	312	`DROP.` Stop executing actions and rules on this stanza, and discard it.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	313	`REDIRECT=jid` Redirect the stanza to the given JID.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	314	`REPLY=text` Reply to the stanza (assumed to be a message) with the given text.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	315	`BOUNCE.` Bounce the stanza with the default error (usually service-unavailable)
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	316	`BOUNCE=error` Bounce the stanza with the given error (MUST be a defined XMPP stanza error, see [RFC6120](http://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions).
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	317	`BOUNCE=error (text)` As above, but include the supplied human-readable text with a description of the error
2096 f5d78bc016a6 mod_firewall: README: Add warning about COPY action's ability to cause loops (thanks Ge0rG) Matthew Wild <mwild1@gmail.com> parents: 2051 diff changeset	318	`COPY=jid` Make a copy of the stanza and send the copy to the specified JID. The copied stanza flows through Prosody's routing code, and as such is affected by firewall rules. Be careful to avoid loops.
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	319
2099 3b4a6d255d7a mod_firewall: README: Add note about BOUNCE and error stanzas/iq results Matthew Wild <mwild1@gmail.com> parents: 2097 diff changeset	320	Note: It is incorrect behaviour to reply to an 'error' stanza with another error, so BOUNCE will simply act the same as 'DROP' for stanzas that should not be bounced (error stanzas and iq results).
3b4a6d255d7a mod_firewall: README: Add note about BOUNCE and error stanzas/iq results Matthew Wild <mwild1@gmail.com> parents: 2097 diff changeset	321
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	322	### Stanza modification
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	323
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	324	These actions make it possible to modify the content and structure of a
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	325	stanza.
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	326
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	327	Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	328	------------------------ ------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	329	`STRIP=name` Remove any child elements with the given name in the default namespace
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	330	`STRIP=name namespace` Remove any child elements with the given name and the given namespace
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	331	`INJECT=xml` Inject the given XML into the stanza as a child element
1786 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	332
2112 573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	333	### Sessions
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	334
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	335	It is possible to mark sessions, and then use these marks to match rules later on.
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	336
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	337	Action Description
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	338	------------------------ --------------------------------------------------------------------------
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	339	`MARK_ORIGIN=mark` Marks the originating session with the given flag.
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	340	`UNMARK_ORIGIN=mark` Removes the given mark from the origin session (if it is set).
573fe9825fba mod_firewall: README: Document session marking Matthew Wild <mwild1@gmail.com> parents: 2109 diff changeset	341
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	342	### Informational
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	343
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	344	Action Description
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	345	--------------- ------------------------------------------------------------------------------------------------------------------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1786 diff changeset	346	`LOG=message` Logs the given message to Prosody's log file. Optionally prefix it with a log level in square brackets, e.g. `[debug]`
2097 7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	347
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	348	You can include expressions in log messages, using `$(...)` syntax. For example, to log the stanza that matched the rule, you can use $(stanza),
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	349	or to log just the top tag of the stanza, use $(stanza:top_tag()).
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	350
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	351	Example:
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	352
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	353	# Log all stanzas to user@example.com:
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	354	TO: user@example.com
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	355	LOG=[debug] User received: $(stanza)
7b9520479e99 mod_firewall: README: Document LOG's ability to take meta expressions Matthew Wild <mwild1@gmail.com> parents: 2096 diff changeset	356
2100 b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	357	Chains
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	358	------
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	359
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	360	Rules are grouped into "chains", which are injected at particular points in Prosody's routing code.
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	361
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	362	Available chains are:
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	363
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	364	Chain Description
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	365	-------------- -------------------------------------------------------------------------------------------
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	366	deliver Applies to stanzas delivered to local recipients (regardless of the stanza's origin)
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	367	deliver_remote Applies to stanzas delivered to remote recipients (just before they leave the local server)
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	368	preroute Applies to incoming stanzas from local users, before any routing rules are applied
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	369
2107 11f047bcb9e4 mod_firewall: README: Add note about user-defined chains Matthew Wild <mwild1@gmail.com> parents: 2106 diff changeset	370	By default, if no chain is specified, rules are put into the 'deliver' chain. It is possible to create custom
11f047bcb9e4 mod_firewall: README: Add note about user-defined chains Matthew Wild <mwild1@gmail.com> parents: 2106 diff changeset	371	chains (useful with the JUMP_CHAIN action described below). User-created chains must begin with "user/", e.g.
11f047bcb9e4 mod_firewall: README: Add note about user-defined chains Matthew Wild <mwild1@gmail.com> parents: 2106 diff changeset	372	"user/spam_filtering".
2100 b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	373
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	374	Example of chain use:
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	375
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	376	# example.com's firewall script
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	377
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	378	# This line is optional, because 'deliver' is the default chain anyway:
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	379	::deliver
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	380
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	381	# This rule matches any stanzas delivered to our local user bob:
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	382	TO: bob@example.com
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	383	DROP.
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	384
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	385	# Oops! This rule will never match, because alice is not a local user,
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	386	# and only stanzas to local users go through the 'deliver' chain:
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	387	TO: alice@remote.example.com
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	388	DROP.
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	389
2108 384fb28452b9 mod_firewall: README: Improve chain usage example comments Matthew Wild <mwild1@gmail.com> parents: 2107 diff changeset	390	# Create a 'preroute' chain of rules (matched for incoming stanzas from local clients):
2100 b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	391	::preroute
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	392	# These rules are matched for outgoing stanzas from local clients
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	393
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	394	# This will match any stanzas sent to alice from a local user:
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	395	TO: alice@remote.example.com
b75d29a162cd mod_firewall: README: Document chains Matthew Wild <mwild1@gmail.com> parents: 2099 diff changeset	396	DROP.
2109 f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN Matthew Wild <mwild1@gmail.com> parents: 2108 diff changeset	397
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN Matthew Wild <mwild1@gmail.com> parents: 2108 diff changeset	398	Action Description
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN Matthew Wild <mwild1@gmail.com> parents: 2108 diff changeset	399	------------------------ ------------------------------------------------------------------------
f2d5aa789646 mod_firewall: README: Document JUMP_CHAIN Matthew Wild <mwild1@gmail.com> parents: 2108 diff changeset	400	`JUMP_CHAIN=name` Switches chains, and passes the stanza through the rules in chain 'name'. If the new chain causes the stanza to be dropped/redirected, the current chain halts further processing.

author	Matthew Wild <mwild1@gmail.com>
	Thu, 17 Mar 2016 11:33:57 +0000
changeset 2112	573fe9825fba
parent 2109	f2d5aa789646
child 2114	c26b28c65d47
permissions	-rw-r--r--